CVE-2017-15714
CRITICALApache OFBiz 16.11.01-16.11.03 - Cross-Site Scripting via BIRT Plugin URL Parameter
Title source: llmDescription
The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed. This allows for code injection by passing that code through the URL. For example by appending this code "__format=%27;alert(%27xss%27)" to the URL an alert window would execute.
References (1)
Core 1
Core References
Exploit, Issue Tracking, Third Party Advisory mailing-list
x_refsource_mlist
https://s.apache.org/UO3W
Scores
CVSS v3
9.8
EPSS
0.0068
EPSS Percentile
71.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-74
Status
published
Products (3)
apache/ofbiz
16.11.01
apache/ofbiz
16.11.02
apache/ofbiz
16.11.03
Published
Jan 04, 2018
Tracked Since
Feb 18, 2026