CVE-2016-6800
MEDIUMApache OFBiz - Stored Cross-Site Scripting in Blog Article Summary and Content Fields
Title source: llmDescription
The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs which are related to specific parties. In the form field for the creation of new blog articles the user input of the summary field as well as the article field is not properly sanitized. It is possible to inject arbitrary JavaScript code in these form fields. This code gets executed from the browser of every user who is visiting this article. Mitigation: Upgrade to Apache OFBiz 16.11.01.
References (2)
Core 2
Core References
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/28987cffe0237fa67eca9de8bbbc04a917ac8785342ad9e5a196c978%40%3Cuser.ofbiz.apache.org%3E
Mailing List, Mitigation, Vendor Advisory mailing-list
x_refsource_mlist
https://s.apache.org/Owsz
Scores
CVSS v3
6.1
EPSS
0.0129
EPSS Percentile
79.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (21)
apache/ofbiz
11.04
apache/ofbiz
11.04.01
apache/ofbiz
11.04.02
apache/ofbiz
11.04.03
apache/ofbiz
11.04.04
apache/ofbiz
11.04.05
apache/ofbiz
11.04.06
apache/ofbiz
12.04
apache/ofbiz
12.04.01
apache/ofbiz
12.04.02
... and 11 more
Published
Aug 30, 2017
Tracked Since
Feb 18, 2026