Vulnerability in Apache Ofbiz
CVE-2020-1943
Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07.
EPSS: 0.845 (99.3th percentile) — read the EPSS interpretation.
Affected products
- Apache Ofbiz — versions 16.11.01 to 16.11.07
Public proof-of-concept exploits
References
- s.apache.org/pr5u8 (x_refsource_MISC)
- [ofbiz-commits] 20200430 svn commit: r1877207 - in /ofbiz/site: security.html template/page/security.tpl.php (mailing-list, x_refsource_MLIST)
- [ofbiz-dev] 20200705 Error.ftl everywhere (mailing-list, x_refsource_MLIST)
- [ofbiz-dev] 20200715 Re: Error.ftl everywhere (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2020-1943?
- CVE-2020-1943 is a vulnerability in Apache Ofbiz. Published 2020-04-01.
- Is CVE-2020-1943 known to be exploited?
- 7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.