SB2013081501 - Multiple vulnerabilities in OFBiz

Description

This security bulletin contains information about 2 vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2013-2137)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Input validation error (CVE-ID: CVE-2013-2250)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote attackers to execute arbitrary Unified Expression Language (UEL) functions via JUEL metacharacters in unspecified parameters, related to nested expressions.

Remediation

Install update from vendor's website.

References

• http://archives.neohapsis.com/archives/bugtraq/2013-07/0144.html
• http://ofbiz.apache.org/download.html#vulnerabilities
• http://osvdb.org/95523
• http://secunia.com/advisories/53910
• http://www.securityfocus.com/bid/61370
• https://exchange.xforce.ibmcloud.com/vulnerabilities/85874
• http://archives.neohapsis.com/archives/bugtraq/2013-07/0143.html
• http://osvdb.org/95522
• http://www.securityfocus.com/bid/61369
• https://exchange.xforce.ibmcloud.com/vulnerabilities/85875