Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2010-0432Cross-site Scripting in Apache Ofbiz

CWE-79Cross-site Scripting7 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
45.9%
top 2.37%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Apache Ofbiz
Timeline
PublishedApr 15
Latest updateMay 2

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 09.04 and earlier, as used in Opentaps, Neogia, and Entente Oya, allow remote attackers to inject arbitrary web script or HTML via (1) the productStoreId parameter to control/exportProductListing, (2) the partyId parameter to partymgr/control/viewprofile (aka partymgr/control/login), (3) the start parameter to myportal/control/showPortalPage, (4) an invalid URI beginning with /facility/control

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

NVDapache/ofbiz09.04

🔴Vulnerability Details

2
GHSA
GHSA-hr4m-h57x-5p2p: Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 092022-05-02
CVEList
CVE-2010-0432: Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 092010-04-15

💥Exploits & PoCs

3
Exploit-DB
Apache OFBiz - Multiple Cross-Site Scripting Vulnerabilities2010-04-21
Exploit-DB
Apache OFBiz - Remote Execution (via SQL Execution)2010-04-16
Exploit-DB
Apache OFBiz - Admin Creator2010-04-16

📋Vendor Advisories

1
Apache
Apache ofbiz: CVE-2010-0432
CVE-2010-0432 — Cross-site Scripting in Apache Ofbiz | cvebase