CVE-2016-6800

CWE-79Cross-site Scripting (XSS)CWE-3995 documents5 sources
Severity
6.1MEDIUM
EPSS
2.7%
top 14.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache OfbizApache Ofbiz
Timeline
PublishedAug 30
Latest updateMay 13

Description

The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs which are related to specific parties. In the form field for the creation of new blog articles the user input of the summary field as well as the article field is not properly sanitized. It is possible to inject arbitrary JavaScript code in these form fields. This code gets executed from the browser of every user who is visiting this article. Mitigation: Upgrade to Apach

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDapache/ofbiz18 versions+17
CVEListV5apache_software_foundation/apache_ofbiz11.04.*, 12.04.*, 13.07.*+2

🔴Vulnerability Details

2
GHSA
GHSA-5r8q-h585-cc8r: The default configuration of the Apache OFBiz framework offers a blog functionality2022-05-13
CVEList
CVE-2016-6800: The default configuration of the Apache OFBiz framework offers a blog functionality2017-08-30

📋Vendor Advisories

2
Cisco
Cisco IOS and NX-OS Software Locator/ID Separation Protocol Packet Denial of Service Vulnerability2016-03-23
Apache
Apache ofbiz: CVE-2016-6800
CVE-2016-6800 (MEDIUM CVSS 6.1) | The default configuration of the Ap | cvebase.io