Multiple vulnerabilities in OFBiz
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2013-2137 CVE-2013-2250 |
| CWE-ID | CWE-79 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
OFBiz Other software / Other software solutions |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Cross-site scripting
EUVDB-ID: #VU42666
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2013-2137
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsOFBiz: 10.04.01 - 12.04.01
CPE2.3- cpe:2.3:a:apache_foundation:ofbiz:10.04.01:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:ofbiz:10.04.02:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:ofbiz:10.04.03:*:*:*:*:*:*:*
https://archives.neohapsis.com/archives/bugtraq/2013-07/0144.html
https://ofbiz.apache.org/download.html#vulnerabilities
https://osvdb.org/95523
https://secunia.com/advisories/53910
https://www.securityfocus.com/bid/61370
https://exchange.xforce.ibmcloud.com/vulnerabilities/85874
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU42667
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2013-2250
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote attackers to execute arbitrary Unified Expression Language (UEL) functions via JUEL metacharacters in unspecified parameters, related to nested expressions.
MitigationInstall update from vendor's website.
Vulnerable software versionsOFBiz: 10.04.01 - 12.04.01
CPE2.3- cpe:2.3:a:apache_foundation:ofbiz:10.04.01:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:ofbiz:10.04.02:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:ofbiz:10.04.03:*:*:*:*:*:*:*
https://archives.neohapsis.com/archives/bugtraq/2013-07/0143.html
https://ofbiz.apache.org/download.html#vulnerabilities
https://osvdb.org/95522
https://secunia.com/advisories/53910
https://www.securityfocus.com/bid/61369
https://exchange.xforce.ibmcloud.com/vulnerabilities/85875
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
