CVE-2016-6800 — MEDIUM (6.1)

Vulnerability Description

The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs which are related to specific parties. In the form field for the creation of new blog articles the user input of the summary field as well as the article field is not properly sanitized. It is possible to inject arbitrary JavaScript code in these form fields. This code gets executed from the browser of every user who is visiting this article. Mitigation: Upgrade to Apache OFBiz 16.11.01.

CVSS Score

6.1

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Ofbiz	11.04

Related Weaknesses (CWE)

CWE-79

References

https://lists.apache.org/thread.html/28987cffe0237fa67eca9de8bbbc04a917ac8785342
https://s.apache.org/OwszMailing ListMitigationVendor Advisory
https://lists.apache.org/thread.html/28987cffe0237fa67eca9de8bbbc04a917ac8785342
https://s.apache.org/OwszMailing ListMitigationVendor Advisory

FAQ

What is CVE-2016-6800?

CVE-2016-6800 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs which are related to specific parties. In the form field for the creation...

How severe is CVE-2016-6800?

CVE-2016-6800 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-6800?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Ofbiz.