CVE-2014-0232 - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1) result or (2) error message.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Ofbiz

Configuration 1 [-]

OR	cpe:2.3:a:apache:ofbiz:12.04.01:::::::*
	cpe:2.3:a:apache:ofbiz:12.04.02:::::::*
	cpe:2.3:a:apache:ofbiz:12.04.03:::::::*

Configuration 2 [-]

OR	cpe:2.3:a:apache:ofbiz:11.04.01:::::::*
	cpe:2.3:a:apache:ofbiz:11.04.02:::::::*
	cpe:2.3:a:apache:ofbiz:11.04.03:::::::*
	cpe:2.3:a:apache:ofbiz:11.04.04:::::::*

No data.

References

Link	Providers
http://ofbiz.apache.org/download.html#vulnerabilities
http://packetstormsecurity.com/files/127929/Apache-OFBiz-11.04.04-12.04.03-Cross-Site-Scripting.html
http://seclists.org/oss-sec/2014/q3/405
http://secunia.com/advisories/60807
http://svn.apache.org/viewvc?view=revision&revision=r1608698
http://www.securityfocus.com/archive/1/533163/100/0/threaded
http://www.securityfocus.com/bid/69286
http://www.securitytracker.com/id/1030739
https://exchange.xforce.ibmcloud.com/vulnerabilities/95356

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2014-08-22T14:00:00

Updated: 2024-08-06T09:05:39.317Z

Reserved: 2013-12-03T00:00:00

Link: CVE-2014-0232

Vulnrichment

No data.

NVD

Status : Modified

Published: 2014-08-22T14:55:07.127

Modified: 2018-10-09T19:41:58.373

Link: CVE-2014-0232

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-07-08T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1) result or (2) error message."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-09T18:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "[oss-security] 20140819 [CVE-2014-0232] Apache OFBiz Cross-site scripting (XSS) vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2014/q3/405"}, {"name": "60807", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/60807"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://ofbiz.apache.org/download.html#vulnerabilities"}, {"name": "1030739", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1030739"}, {"name": "apache-ofbiz-cve20140232-xss(95356)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95356"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/127929/Apache-OFBiz-11.04.04-12.04.03-Cross-Site-Scripting.html"}, {"name": "20140819 [CVE-2014-0232] Apache OFBiz Cross-site scripting (XSS) vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/533163/100/0/threaded"}, {"name": "69286", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/69286"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://svn.apache.org/viewvc?view=revision&revision=r1608698"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2014-0232", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1) result or (2) error message."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20140819 [CVE-2014-0232] Apache OFBiz Cross-site scripting (XSS) vulnerability", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q3/405"}, {"name": "60807", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/60807"}, {"name": "http://ofbiz.apache.org/download.html#vulnerabilities", "refsource": "CONFIRM", "url": "http://ofbiz.apache.org/download.html#vulnerabilities"}, {"name": "1030739", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1030739"}, {"name": "apache-ofbiz-cve20140232-xss(95356)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95356"}, {"name": "http://packetstormsecurity.com/files/127929/Apache-OFBiz-11.04.04-12.04.03-Cross-Site-Scripting.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/127929/Apache-OFBiz-11.04.04-12.04.03-Cross-Site-Scripting.html"}, {"name": "20140819 [CVE-2014-0232] Apache OFBiz Cross-site scripting (XSS) vulnerability", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/533163/100/0/threaded"}, {"name": "69286", "refsource": "BID", "url": "http://www.securityfocus.com/bid/69286"}, {"name": "http://svn.apache.org/viewvc?view=revision&revision=r1608698", "refsource": "CONFIRM", "url": "http://svn.apache.org/viewvc?view=revision&revision=r1608698"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:05:39.317Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20140819 [CVE-2014-0232] Apache OFBiz Cross-site scripting (XSS) vulnerability", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2014/q3/405"}, {"name": "60807", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/60807"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://ofbiz.apache.org/download.html#vulnerabilities"}, {"name": "1030739", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1030739"}, {"name": "apache-ofbiz-cve20140232-xss(95356)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95356"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/127929/Apache-OFBiz-11.04.04-12.04.03-Cross-Site-Scripting.html"}, {"name": "20140819 [CVE-2014-0232] Apache OFBiz Cross-site scripting (XSS) vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/533163/100/0/threaded"}, {"name": "69286", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/69286"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://svn.apache.org/viewvc?view=revision&revision=r1608698"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-0232", "datePublished": "2014-08-22T14:00:00", "dateReserved": "2013-12-03T00:00:00", "dateUpdated": "2024-08-06T09:05:39.317Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:ofbiz:12.04.01:*:*:*:*:*:*:*", "matchCriteriaId": "7A557337-D8FD-47F4-9E66-9A642B834E7D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:ofbiz:12.04.02:*:*:*:*:*:*:*", "matchCriteriaId": "50FFA2EC-0680-4ECA-BFCA-CE6EAF5611F3", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:ofbiz:12.04.03:*:*:*:*:*:*:*", "matchCriteriaId": "4BB02CEF-3431-4138-AC3D-27363073C29C", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:ofbiz:11.04.01:*:*:*:*:*:*:*", "matchCriteriaId": "4BC9FE7F-EAAB-42DC-B0B0-81B484C06571", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:ofbiz:11.04.02:*:*:*:*:*:*:*", "matchCriteriaId": "770795DB-628C-4C60-B89A-81054048A56C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:ofbiz:11.04.03:*:*:*:*:*:*:*", "matchCriteriaId": "B9EA2BA6-F97C-4FBF-AC8C-1EEB4A68C74F", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:ofbiz:11.04.04:*:*:*:*:*:*:*", "matchCriteriaId": "E43C1CD5-4471-4D47-A722-7912E3E6A085", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1) result or (2) error message."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de XSS en framework/common/webcommon/includes/messages.ftl en Apache OFBiz 11.04.01 anterior a 11.04.05 y 12.04.01 anterior a 12.04.04 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores no especificados, los cuales no se manejan debidamente en un mensaje de (1) resultado o (2) error."}], "id": "CVE-2014-0232", "lastModified": "2018-10-09T19:41:58.373", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2014-08-22T14:55:07.127", "references": [{"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://ofbiz.apache.org/download.html#vulnerabilities"}, {"source": "secalert@redhat.com", "url": "http://packetstormsecurity.com/files/127929/Apache-OFBiz-11.04.04-12.04.03-Cross-Site-Scripting.html"}, {"source": "secalert@redhat.com", "url": "http://seclists.org/oss-sec/2014/q3/405"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/60807"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://svn.apache.org/viewvc?view=revision&revision=r1608698"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/archive/1/533163/100/0/threaded"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/69286"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id/1030739"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95356"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}