⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2020-9496Cross-site Scripting in Software Foundation Apache Ofbiz

CWE-79Cross-site ScriptingCWE-502Deserialization of Untrusted Data8 documents8 sources
Severity
6.1MEDIUMNVD
EPSS
93.8%
top 0.14%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Apache Software Foundation Apache OfbizApache Ofbiz
Timeline
PublishedJul 15
Latest updateMay 24

Description

XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDapache/ofbiz17.12.03
CVEListV5apache_software_foundation/apache_ofbizApache OFBiz 17.12.03

🔴Vulnerability Details

3
GHSA
GHSA-p23h-x6wc-8w4g: XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 172022-05-24
CVEList
CVE-2020-9496: XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 172020-07-15
VulnCheck
Apache OFBiz Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')2020

💥Exploits & PoCs

2
Exploit-DB
ApacheOfBiz 17.12.01 - Remote Command Execution (RCE)2021-08-04
Nuclei
Apache OFBiz 17.12.03 - Cross-Site Scripting

📋Vendor Advisories

1
Apache
Apache ofbiz: CVE-2020-9496
CVE-2020-9496 — Cross-site Scripting | cvebase