Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-1943

CWE-79Cross-site Scripting (XSS)6 documents6 sources
Severity
6.1MEDIUM
EPSS
84.0%
top 0.70%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache OfbizApache Apache Ofbiz
Timeline
PublishedApr 1
Latest updateMay 24

Description

Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDapache/ofbiz16.11.0116.11.07
CVEListV5apache/apache_ofbiz16.11.01 to 16.11.07

🔴Vulnerability Details

3
GHSA
GHSA-pmjx-2693-rfj2: Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 162022-05-24
CVEList
CVE-2020-1943: Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 162020-04-01
VulnCheck
Apache OFBiz Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')2020

💥Exploits & PoCs

1
Nuclei
Apache OFBiz <=16.11.07 - Cross-Site Scripting

📋Vendor Advisories

1
Apache
Apache ofbiz: CVE-2020-1943