Date: Fri, 8 Apr 2016 21:57:35 +0200 From: "jleroux@...che.org" <jleroux@...che.org> To: oss-security@...ts.openwall.com, bugtraq@...urityfocus.com Subject: CVE-2015-3268: Apache OFBiz information disclosure vulnerability CVE-2015-3268: Apache OFBiz information disclosure vulnerability ========================================== Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache OFBiz 13.07.02 and 13.07.01 Apache OFBiz 12.04.05 and earlier releases in the series (12.04.*) The unsupported releases 11.04.*, 10.04.* and 09.04 versions are also affected (Lilian Iatco reported he tried with r691692, which is early March 2008) Description: Stored Cross-Site Scripting Vulnerability affecting the description attribute of the display-entity element because it was not escaped. Mitigation: 13.07.* users should upgrade to 13.07.03 12.04.05 users should upgrade to 12.04.06 You can find more information at https://issues.apache.org/jira/browse/OFBIZ-6506 Credit: This issue was discovered by Lilian Iatco and reported at https://issues.apache.org/jira/browse/OFBIZ-6506 References: http://ofbiz.apache.org/download.html#vulnerabilities ========================================== Jacques
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.