First published: Thu Jan 04 2018(Updated: )
The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed. This allows for code injection by passing that code through the URL. For example by appending this code "__format=%27;alert(%27xss%27)" to the URL an alert window would execute.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache OFBiz | =16.11.01 | |
Apache OFBiz | =16.11.02 | |
Apache OFBiz | =16.11.03 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2017-15714 is a vulnerability in the BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 that allows for code injection through user input.
CVE-2017-15714 is classified as critical with a severity rating of 9.8 out of 10.
CVE-2017-15714 occurs when the BIRT plugin in Apache OFBiz does not properly escape user input, allowing for code injection.
CVE-2017-15714 can be exploited by passing malicious code through the URL to execute arbitrary code.
Yes, the fix for CVE-2017-15714 is available in Apache OFBiz versions 16.11.04 and later.