NVD Vulnerability Detail

CVE-2010-0432

Summary	Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 09.04 and earlier, as used in Opentaps, Neogia, and Entente Oya, allow remote attackers to inject arbitrary web script or HTML via (1) the productStoreId parameter to control/exportProductListing, (2) the partyId parameter to partymgr/control/viewprofile (aka partymgr/control/login), (3) the start parameter to myportal/control/showPortalPage, (4) an invalid URI beginning with /facility/control/ReceiveReturn (aka /crmsfa/control/ReceiveReturn or /cms/control/ReceiveReturn), (5) the contentId parameter (aka the entityName variable) to ecommerce/control/ViewBlogArticle, (6) the entityName parameter to webtools/control/FindGeneric, or the (7) subject or (8) content parameter to an unspecified component under ecommerce/control/contactus.
Publication Date	April 16, 2010, 2:30 a.m.
Registration Date	Jan. 29, 2021, 10:56 a.m.
Last Update	July 30, 2018, 9:31 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:apache:ofbiz::::::::			09.04

Related information, measures and tools

No	URL	refsource	タグ
1	http://svn.apache.org/viewvc?view=revision&revision=920369	CONFIRM	Vendor Advisory
2	http://svn.apache.org/viewvc?view=revision&revision=920370	CONFIRM	Vendor Advisory
3	http://svn.apache.org/viewvc?view=revision&revision=920371	CONFIRM	Vendor Advisory
4	http://svn.apache.org/viewvc?view=revision&revision=920372	CONFIRM	Vendor Advisory
5	http://svn.apache.org/viewvc?view=revision&revision=920379	CONFIRM	Vendor Advisory
6	http://svn.apache.org/viewvc?view=revision&revision=920380	CONFIRM	Vendor Advisory
7	http://svn.apache.org/viewvc?view=revision&revision=920381	CONFIRM	Vendor Advisory
8	http://svn.apache.org/viewvc?view=revision&revision=920382	CONFIRM	Vendor Advisory
9	http://www.bonsai-sec.com/en/research/vulnerabilities/apacheofbiz-multiple-xss-0103.php	MISC	Exploit Third Party Advisory
10	http://www.securityfocus.com/bid/39489	BID	Exploit Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

JVN Vulnerability Information

Opentaps などで使用される Apache Open For Business Project におけるクロスサイトスクリプティングの脆弱性

Title	Opentaps などで使用される Apache Open For Business Project におけるクロスサイトスクリプティングの脆弱性
Summary	Opentaps、Neogia、および Entente Oya で使用される Apache Open For Business Project には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	第三者により、以下を介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。 (1) control/exportProductListing への productStoreId パラメータ (2) partymgr/control/viewprofile への partyId パラメータ (3) myportal/control/showPortalPage への start パラメータ (4) /facility/control/ReceiveReturn で始まる無効な URI (5) ecommerce/control/ViewBlogArticle への contentId パラメータ (6) webtools/control/FindGeneric への entityName パラメータ (7) ecommerce/control/contactus 無いのコンポーネントへの subject パラメータ (8) ecommerce/control/contactus 内のコンポーネントへの content パラメータ
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	April 15, 2010, midnight
Registration Date	June 26, 2012, 4:19 p.m.
Last Update	June 26, 2012, 4:19 p.m.

Affected System

Apache Software Foundation

Apache Open For Business Project (OFBiz) 09.04 およびそれ以前

opentaps

entente-oya

neogia

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2010-0432	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0432
National Vulnerability Database (NVD)
2	CVE-2010-0432	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0432

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

Change Log

No	Changed Details	Date of change
0	[2012年06月26日] 掲載	Feb. 17, 2018, 10:37 a.m.