CVE-2010-0432: XSS
First published: Thu Apr 15 2010(Updated: )
Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 09.04 and earlier, as used in Opentaps, Neogia, and Entente Oya, allow remote attackers to inject arbitrary web script or HTML via (1) the productStoreId parameter to control/exportProductListing, (2) the partyId parameter to partymgr/control/viewprofile (aka partymgr/control/login), (3) the start parameter to myportal/control/showPortalPage, (4) an invalid URI beginning with /facility/control/ReceiveReturn (aka /crmsfa/control/ReceiveReturn or /cms/control/ReceiveReturn), (5) the contentId parameter (aka the entityName variable) to ecommerce/control/ViewBlogArticle, (6) the entityName parameter to webtools/control/FindGeneric, or the (7) subject or (8) content parameter to an unspecified component under ecommerce/control/contactus.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache OFBiz | <=09.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://svn.apache.org/viewvc?view=revision&revision=920370
- http://svn.apache.org/viewvc?view=revision&revision=920380
- http://svn.apache.org/viewvc?view=revision&revision=920382
- http://www.bonsai-sec.com/en/research/vulnerabilities/apacheofbiz-multiple-xss-0103.php
- http://www.securityfocus.com/bid/39489
- http://svn.apache.org/viewvc?view=revision&revision=920379
- http://svn.apache.org/viewvc?view=revision&revision=920371
- http://svn.apache.org/viewvc?view=revision&revision=920369
- http://svn.apache.org/viewvc?view=revision&revision=920372
- http://svn.apache.org/viewvc?view=revision&revision=920381
Frequently Asked Questions
What are the main vulnerabilities associated with CVE-2010-0432?
CVE-2010-0432 involves multiple cross-site scripting (XSS) vulnerabilities in Apache OFBiz that allow remote attackers to inject arbitrary web scripts or HTML.
Which versions of Apache OFBiz are affected by CVE-2010-0432?
Apache OFBiz versions up to and including 09.04 are affected by CVE-2010-0432.
How can I mitigate the risks associated with CVE-2010-0432?
To mitigate CVE-2010-0432, update Apache OFBiz to a version later than 09.04 where the vulnerabilities have been patched.
Is CVE-2010-0432 considered a critical vulnerability?
While CVE-2010-0432 is not classified as critical, it poses a significant risk due to the potential for XSS attacks.
Can CVE-2010-0432 impact my web application security?
Yes, CVE-2010-0432 can seriously impact your web application security by allowing attackers to execute malicious scripts in the context of a user's session.
- collector/nvd-historical
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- agent/author
- agent/severity
- agent/weakness
- agent/tags
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- vendor/apache
- canonical/apache ofbiz
- version/apache ofbiz/09.04