OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.02 allow remote attackers to inject arbitrary web script or HTML via (1) a parameter array in freemarker templates, the (2) contentId or (3) mapKey parameter in a cms event request, which are not properly handled in an error message, or unspecified input in (4) an ajax request to the getServerError function in checkoutProcess.js or (5) a Webslinger component request. NOTE: some of these details are obtained from third party information.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Ofbiz

Configuration 1 [-]

cpe:2.3:a:apache:ofbiz:10.04.01:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://mail-archives.apache.org/mod_mbox/ofbiz-dev/201204.mbox/%3CA126EDA0-06A5-4B67-8CDD-FC5F5AABA147%40apache.org%3E
http://mail-archives.apache.org/mod_mbox/www-announce/201204.mbox/%3C2B984C00-EC65-4455-98D3-55735ABE8AF9%40apache.org%3E
http://ofbiz.apache.org/download.html#vulnerabilities
http://osvdb.org/show/osvdb/81346
http://osvdb.org/show/osvdb/81347
http://osvdb.org/show/osvdb/81348
http://osvdb.org/show/osvdb/81349
http://seclists.org/bugtraq/2012/Apr/101
http://seclists.org/fulldisclosure/2012/Apr/172
http://secunia.com/advisories/48800
http://www.securityfocus.com/bid/53023
http://www.securitytracker.com/id?1026927
https://exchange.xforce.ibmcloud.com/vulnerabilities/74870

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2014-06-19T14:00:00

Updated: 2024-08-06T19:01:02.769Z

Reserved: 2012-03-12T00:00:00

Link: CVE-2012-1621

Vulnrichment

No data.

NVD

Status : Modified

Published: 2014-06-19T14:55:06.863

Modified: 2023-11-07T02:10:17.547

Link: CVE-2012-1621

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-04-15T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.02 allow remote attackers to inject arbitrary web script or HTML via (1) a parameter array in freemarker templates, the (2) contentId or (3) mapKey parameter in a cms event request, which are not properly handled in an error message, or unspecified input in (4) an ajax request to the getServerError function in checkoutProcess.js or (5) a Webslinger component request. NOTE: some of these details are obtained from third party information."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "20120415 [CVE-2012-1621] Apache OFBiz information disclosure vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://seclists.org/bugtraq/2012/Apr/101"}, {"name": "[www-announce] 20120415 Apache OFBiz 10.04.02 released", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201204.mbox/%3C2B984C00-EC65-4455-98D3-55735ABE8AF9%40apache.org%3E"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://ofbiz.apache.org/download.html#vulnerabilities"}, {"name": "48800", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/48800"}, {"name": "81349", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/show/osvdb/81349"}, {"name": "81346", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/show/osvdb/81346"}, {"name": "81347", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/show/osvdb/81347"}, {"name": "20120415 [CVE-2012-1621] Apache OFBiz information\tdisclosure vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2012/Apr/172"}, {"name": "apache-ofbiz-multiple-xss(74870)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74870"}, {"name": "53023", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/53023"}, {"name": "81348", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/show/osvdb/81348"}, {"name": "[ofbiz-dev] 20120415 [CVE-2012-1621] Apache OFBiz information disclosure vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://mail-archives.apache.org/mod_mbox/ofbiz-dev/201204.mbox/%3CA126EDA0-06A5-4B67-8CDD-FC5F5AABA147%40apache.org%3E"}, {"name": "1026927", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1026927"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2012-1621", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.02 allow remote attackers to inject arbitrary web script or HTML via (1) a parameter array in freemarker templates, the (2) contentId or (3) mapKey parameter in a cms event request, which are not properly handled in an error message, or unspecified input in (4) an ajax request to the getServerError function in checkoutProcess.js or (5) a Webslinger component request. NOTE: some of these details are obtained from third party information."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20120415 [CVE-2012-1621] Apache OFBiz information disclosure vulnerability", "refsource": "BUGTRAQ", "url": "http://seclists.org/bugtraq/2012/Apr/101"}, {"name": "[www-announce] 20120415 Apache OFBiz 10.04.02 released", "refsource": "MLIST", "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201204.mbox/%3C2B984C00-EC65-4455-98D3-55735ABE8AF9@apache.org%3E"}, {"name": "http://ofbiz.apache.org/download.html#vulnerabilities", "refsource": "CONFIRM", "url": "http://ofbiz.apache.org/download.html#vulnerabilities"}, {"name": "48800", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/48800"}, {"name": "81349", "refsource": "OSVDB", "url": "http://osvdb.org/show/osvdb/81349"}, {"name": "81346", "refsource": "OSVDB", "url": "http://osvdb.org/show/osvdb/81346"}, {"name": "81347", "refsource": "OSVDB", "url": "http://osvdb.org/show/osvdb/81347"}, {"name": "20120415 [CVE-2012-1621] Apache OFBiz information\tdisclosure vulnerability", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2012/Apr/172"}, {"name": "apache-ofbiz-multiple-xss(74870)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74870"}, {"name": "53023", "refsource": "BID", "url": "http://www.securityfocus.com/bid/53023"}, {"name": "81348", "refsource": "OSVDB", "url": "http://osvdb.org/show/osvdb/81348"}, {"name": "[ofbiz-dev] 20120415 [CVE-2012-1621] Apache OFBiz information disclosure vulnerability", "refsource": "MLIST", "url": "http://mail-archives.apache.org/mod_mbox/ofbiz-dev/201204.mbox/%3CA126EDA0-06A5-4B67-8CDD-FC5F5AABA147@apache.org%3E"}, {"name": "1026927", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1026927"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T19:01:02.769Z"}, "title": "CVE Program Container", "references": [{"name": "20120415 [CVE-2012-1621] Apache OFBiz information disclosure vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://seclists.org/bugtraq/2012/Apr/101"}, {"name": "[www-announce] 20120415 Apache OFBiz 10.04.02 released", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201204.mbox/%3C2B984C00-EC65-4455-98D3-55735ABE8AF9%40apache.org%3E"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://ofbiz.apache.org/download.html#vulnerabilities"}, {"name": "48800", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/48800"}, {"name": "81349", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/show/osvdb/81349"}, {"name": "81346", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/show/osvdb/81346"}, {"name": "81347", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/show/osvdb/81347"}, {"name": "20120415 [CVE-2012-1621] Apache OFBiz information\tdisclosure vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2012/Apr/172"}, {"name": "apache-ofbiz-multiple-xss(74870)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74870"}, {"name": "53023", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/53023"}, {"name": "81348", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/show/osvdb/81348"}, {"name": "[ofbiz-dev] 20120415 [CVE-2012-1621] Apache OFBiz information disclosure vulnerability", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://mail-archives.apache.org/mod_mbox/ofbiz-dev/201204.mbox/%3CA126EDA0-06A5-4B67-8CDD-FC5F5AABA147%40apache.org%3E"}, {"name": "1026927", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id?1026927"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-1621", "datePublished": "2014-06-19T14:00:00", "dateReserved": "2012-03-12T00:00:00", "dateUpdated": "2024-08-06T19:01:02.769Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:ofbiz:10.04.01:*:*:*:*:*:*:*", "matchCriteriaId": "E9FBA6A6-D7B1-4870-B18B-60E9B5EBA5C9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.02 allow remote attackers to inject arbitrary web script or HTML via (1) a parameter array in freemarker templates, the (2) contentId or (3) mapKey parameter in a cms event request, which are not properly handled in an error message, or unspecified input in (4) an ajax request to the getServerError function in checkoutProcess.js or (5) a Webslinger component request. NOTE: some of these details are obtained from third party information."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de XSS en Apache Open For Business Project (tambi\u00e9n conocido como OFBiz) 10.04.x anterior a 10.04.02 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de (1) un array de par\u00e1metro en plantillas freemarker, el par\u00e1metro (2) contentId o (3) mapKey en una solicitud de evento cms, que no se manejan debidamente en un mensaje de error, o entradas no especificadas en (4) una solicitud ajax hacia la funci\u00f3n getServerError en checkoutProcess.js o (5) una solicitud del componente Webslinger. NOTA: algunos de estos detalles se obtienen de informaci\u00f3n de terceras partes."}], "id": "CVE-2012-1621", "lastModified": "2023-11-07T02:10:17.547", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2014-06-19T14:55:06.863", "references": [{"source": "secalert@redhat.com", "url": "http://mail-archives.apache.org/mod_mbox/ofbiz-dev/201204.mbox/%3CA126EDA0-06A5-4B67-8CDD-FC5F5AABA147%40apache.org%3E"}, {"source": "secalert@redhat.com", "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201204.mbox/%3C2B984C00-EC65-4455-98D3-55735ABE8AF9%40apache.org%3E"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://ofbiz.apache.org/download.html#vulnerabilities"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://osvdb.org/show/osvdb/81346"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://osvdb.org/show/osvdb/81347"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://osvdb.org/show/osvdb/81348"}, {"source": "secalert@redhat.com", "tags": ["Broken Link"], "url": "http://osvdb.org/show/osvdb/81349"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/bugtraq/2012/Apr/101"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2012/Apr/172"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/48800"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/53023"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id?1026927"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74870"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}