CVE-2010-0432
Last modified
CVE-2010-0432 is a vulnerability of currently unknown severity. Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 09.04 and earlier, as used in Opentaps, Neogia, and Entente Oya, allow remote attackers to inject arbitrary web script or HTML via (1) the productStoreId parameter to control/exportProductListing, (2) the partyId parameter to partymgr/control/viewprofile (aka partymgr/control/login), (3) the start parameter to myportal/control/showPortalPage, (4) an invalid URI beginning with /facility/control/ReceiveReturn (aka /crmsfa/control/ReceiveReturn or /cms/control/ReceiveReturn), (5) the contentId parameter (aka the entityName variable) to ecommerce/control/ViewBlogArticle, (6) the entityName parameter to webtools/control/FindGeneric, or the (7) subject or (8) content parameter to an unspecified component under ecommerce/control/contactus.. EPSS estimates a 22.94% chance of exploitation in the next 30 days.
Description
Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 09.04 and earlier, as used in Opentaps, Neogia, and Entente Oya, allow remote attackers to inject arbitrary web script or HTML via (1) the productStoreId parameter to control/exportProductListing, (2) the partyId parameter to partymgr/control/viewprofile (aka partymgr/control/login), (3) the start parameter to myportal/control/showPortalPage, (4) an invalid URI beginning with /facility/control/ReceiveReturn (aka /crmsfa/control/ReceiveReturn or /cms/control/ReceiveReturn), (5) the contentId parameter (aka the entityName variable) to ecommerce/control/ViewBlogArticle, (6) the entityName parameter to webtools/control/FindGeneric, or the (7) subject or (8) content parameter to an unspecified component under ecommerce/control/contactus.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Ofbiz | <= 09.04 |
References
- http://svn.apache.org/viewvc?view=revision&revision=920369Vendor Advisory
- http://svn.apache.org/viewvc?view=revision&revision=920370Vendor Advisory
- http://svn.apache.org/viewvc?view=revision&revision=920371Vendor Advisory
- http://svn.apache.org/viewvc?view=revision&revision=920372Vendor Advisory
- http://svn.apache.org/viewvc?view=revision&revision=920379Vendor Advisory
- http://svn.apache.org/viewvc?view=revision&revision=920380Vendor Advisory
- http://svn.apache.org/viewvc?view=revision&revision=920381Vendor Advisory
- http://svn.apache.org/viewvc?view=revision&revision=920382Vendor Advisory
- http://www.bonsai-sec.com/en/research/vulnerabilities/apacheofbiz-multiple-xss-0103.phpExploit, Third Party Advisory
- http://www.securityfocus.com/bid/39489Exploit, Third Party Advisory
- http://svn.apache.org/viewvc?view=revision&revision=920369Vendor Advisory
- http://svn.apache.org/viewvc?view=revision&revision=920370Vendor Advisory
- http://svn.apache.org/viewvc?view=revision&revision=920371Vendor Advisory
- http://svn.apache.org/viewvc?view=revision&revision=920372Vendor Advisory
- http://svn.apache.org/viewvc?view=revision&revision=920379Vendor Advisory
- http://svn.apache.org/viewvc?view=revision&revision=920380Vendor Advisory
- http://svn.apache.org/viewvc?view=revision&revision=920381Vendor Advisory
- http://svn.apache.org/viewvc?view=revision&revision=920382Vendor Advisory
- http://www.bonsai-sec.com/en/research/vulnerabilities/apacheofbiz-multiple-xss-0103.phpExploit, Third Party Advisory
- http://www.securityfocus.com/bid/39489Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2010-0432?
How severe is CVE-2010-0432?
How do I fix CVE-2010-0432?
Are you affected by CVE-2010-0432?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST