// For flags

CVE-2012-1621

 

Time Line
Published
2024-03-19
Updated
2024-03-19
Firt exploit
2024-03-19
Overview
Descriptions (2)
NVD, NVD
CWE (1)
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC (-)
Risk
CVSS Score
6.1 Medium
SSVC
-
KEV
-
EPSS
3.1%
Affected Products (-)
Vendors (1)
apache
Products (1)
ofbiz
Versions (1)
10.04.01
Intel Resources (-)
Advisories (-)
-
Exploits (-)
-
Plugins (-)
-
References (13)
General (12)
apache, osvdb, seclists, secunia ...
Exploits & POcs (-)
Patches (-)
Advisories (1)
apache
Summary
Descriptions

Multiple cross-site scripting (XSS) vulnerabilities in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.02 allow remote attackers to inject arbitrary web script or HTML via (1) a parameter array in freemarker templates, the (2) contentId or (3) mapKey parameter in a cms event request, which are not properly handled in an error message, or unspecified input in (4) an ajax request to the getServerError function in checkoutProcess.js or (5) a Webslinger component request. NOTE: some of these details are obtained from third party information.

Múltiples vulnerabilidades de XSS en Apache Open For Business Project (también conocido como OFBiz) 10.04.x anterior a 10.04.02 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de (1) un array de parámetro en plantillas freemarker, el parámetro (2) contentId o (3) mapKey en una solicitud de evento cms, que no se manejan debidamente en un mensaje de error, o entradas no especificadas en (4) una solicitud ajax hacia la función getServerError en checkoutProcess.js o (5) una solicitud del componente Webslinger. NOTA: algunos de estos detalles se obtienen de información de terceras partes.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2012-03-12 CVE Reserved
  • 2014-06-19 CVE Published
  • 2024-08-06 CVE Updated
  • 2024-12-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Threat Intelligence Resources (0)
Security Advisory details:

Select an advisory to view details here.

Select an exploit to view details here.

Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
 Ofbiz
Search vendor "Apache" for product "Ofbiz"
 10.04.01
Search vendor "Apache" for product "Ofbiz" and version "10.04.01"
-
Affected