CVE-2015-3268
MEDIUMApache OFBiz < 12.04.06 and 13.07.x < 13.07.03 - Cross-Site Scripting via DisplayEntityField Description Attribute
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in the DisplayEntityField.getDescription method in ModelFormField.java in Apache OFBiz before 12.04.06 and 13.07.x before 13.07.03 allows remote attackers to inject arbitrary web script or HTML via the description attribute of a display-entity element.
References (7)
Core 7
Core References
Patch, Vendor Advisory x_refsource_confirm
http://ofbiz.apache.org/download.html#vulnerabilities
Various Sources x_refsource_confirm
https://blogs.apache.org/ofbiz/entry/announce_apache_ofbiz_12_04
Various Sources x_refsource_confirm
https://issues.apache.org/jira/browse/OFBIZ-6506
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1035514
Patch, Vendor Advisory x_refsource_confirm
https://blogs.apache.org/ofbiz/entry/announce_apache_ofbiz_13_07
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/136638/Apache-OFBiz-13.07.02-13.07.01-Information-Disclosure.html
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/538033/100/0/threaded
Scores
CVSS v3
6.1
EPSS
0.0526
EPSS Percentile
90.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (7)
apache/ofbiz
12.04.01
apache/ofbiz
12.04.02
apache/ofbiz
12.04.03
apache/ofbiz
12.04.04
apache/ofbiz
12.04.05
apache/ofbiz
13.07.01
apache/ofbiz
13.07.02
Published
Apr 12, 2016
Tracked Since
Feb 18, 2026