CVE-2020-9496 — MEDIUM (6.1)

Vulnerability Description

XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Ofbiz	17.12.03

Related Weaknesses (CWE)

CWE-79 CWE-502

References

http://packetstormsecurity.com/files/158887/Apache-OFBiz-XML-RPC-Java-DeserializExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/161769/Apache-OFBiz-XML-RPC-Java-DeserializExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/163730/Apache-OfBiz-17.12.01-Remote-CommandExploitThird Party AdvisoryVDB Entry
https://lists.apache.org/thread.html/r0a0a701610b3bcdf14634047313adab3f1628bb9aa
https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c1
https://lists.apache.org/thread.html/r8fb319dc1f196563955fbf5e9cf454fb9d6c27c205
https://lists.apache.org/thread.html/ra43cfe80226c3b23cd775f3543da10c035ad9c9943
https://lists.apache.org/thread.html/raf6020f765f12711e817ce13df63ecd7d677eebea8
https://lists.apache.org/thread.html/rde93e1c91620335b72b798f78ab4459d3f7b06f960
https://s.apache.org/l0994Mailing ListVendor Advisory
http://packetstormsecurity.com/files/158887/Apache-OFBiz-XML-RPC-Java-DeserializExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/161769/Apache-OFBiz-XML-RPC-Java-DeserializExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/163730/Apache-OfBiz-17.12.01-Remote-CommandExploitThird Party AdvisoryVDB Entry
https://lists.apache.org/thread.html/r0a0a701610b3bcdf14634047313adab3f1628bb9aa
https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c1

FAQ

What is CVE-2020-9496?

CVE-2020-9496 is a vulnerability with a CVSS score of 6.1 (MEDIUM). XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03

How severe is CVE-2020-9496?

CVE-2020-9496 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-9496?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Ofbiz.