SB2014061903 - Cross-site scripting in OFBiz

Description

This security bulletin contains information about 1 security vulnerability.

1) Cross-site scripting (CVE-ID: CVE-2012-1621)

Vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.02 when processing (1) a parameter array in freemarker templates, the (2) contentId or (3) mapKey parameter in a cms event request, which are not properly handled in an error message, or unspecified input in (4) an ajax request to the getServerError function in checkoutProcess.js or (5) a Webslinger component request. NOTE: some of these details are obtained from third party information. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

• http://mail-archives.apache.org/mod_mbox/ofbiz-dev/201204.mbox/%3CA126EDA0-06A5-4B67-8CDD-FC5F5AABA147@apache.org%3E
• http://mail-archives.apache.org/mod_mbox/www-announce/201204.mbox/%3C2B984C00-EC65-4455-98D3-55735ABE8AF9@apache.org%3E
• http://ofbiz.apache.org/download.html#vulnerabilities
• http://osvdb.org/show/osvdb/81346
• http://osvdb.org/show/osvdb/81347
• http://osvdb.org/show/osvdb/81348
• http://osvdb.org/show/osvdb/81349
• http://seclists.org/bugtraq/2012/Apr/101
• http://seclists.org/fulldisclosure/2012/Apr/172
• http://secunia.com/advisories/48800
• http://www.securityfocus.com/bid/53023
• http://www.securitytracker.com/id?1026927
• https://exchange.xforce.ibmcloud.com/vulnerabilities/74870