OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[CVE-2013-2137] Apache OFBiz XSS vulnerability in the "View Log" screen of the Webtools application

From: Jacopo Cappellato (jacopocapache.org)
Date: Sat Jul 20 2013 - 11:02:42 CDT


CVE-2013-2137 - Apache OFBiz XSS vulnerability in the "View Log" screen of the Webtools application

Vendor:
The Apache Software Foundation

Versions Affected:
Apache OFBiz 10.04.01 to 10.04.05
Apache OFBiz 11.04.01 to 11.04.02
Apache OFBiz 12.04.01

Description:

XSS vulnerability in the "View Log" screen of the Webtools application because the content of the html log was not properly encoded.

Mitigation:
10.04.x users should upgrade to 10.04.06
11.04.x users should upgrade to 11.04.03
12.04.01 users should upgrade to 12.04.02

Credit:
This issue was discovered by Grégory Draperi (gregory.draperigmail.com).

References:

http://ofbiz.apache.org/download.html#vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)

iQIcBAEBCgAGBQJR6rSiAAoJEHpYCQiEevngVs4P/3IlYdWBFfq8yXqoUj73o50t
wkdVctRF82HLjZ8KvdDHy8pLTwmH2VpOf2qDG/u3wnmSxEwcPGK7WIxtr57VDS1Z
lrTsFbJKS8I6L52XoKoXsBmsYcEVfeqWPTqssllvBjT4rlJ1zzw7Q+8dYv0g7UH3
chK6HzkbIvcvvRhoj/z7bUsiINf6u2YcGhJP5niVRD8dEa88epFbbQHF8UsnqYyD
PCO2+8aEydTJ5mVjqlfUDKn3IJtf+k4GlbN3cjaKu4xXN7goB3KZumhZafAfr3/a
40gznrh5L+/YWy+3AImkXroWFWS89BVEqglEI2APxCFpKOTx/45wdXqNGf//0qlZ
GaBBGmjN5lDcOZpmdTS2sHo1sbp7rCFeEvThgXit5OSubQReBnucafaENj+1esTM
lrd5OAFnPALODjfGOEx8cCl9AzPyFQiiU2F8lBzoT+7ouVG2V4bjC5waQfPsad3j
Au5HtT01ObwbKY8YN32D/vEgNBkhrXBC1Kdl1dOSjd51ZmtqyfuMy6/OXi683GBe
J3RJBaXXElT+J1I3R4++m3fptAgU5yDdNhLWs0WyLseTFdx6nAg8gv7aQy4gcC9h
6NYaPjUU8e8eez0kfi0TTRrBI7SRU/bwMfMKNCq6NbdkFoEN1qVCUtuhJUPcg4y0
miI2I6BZD2rjj7IsbasY
=haMw
-----END PGP SIGNATURE-----