CVE-2010-0432 Information

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 09.04 and earlier as used in Opentaps Neogia and Entente Oya allow remote attackers to inject arbitrary web script or HTML via (1) the productStoreId parameter to control/exportProductListing (2) the partyId parameter to partymgr/control/viewprofile (aka partymgr/control/login) (3) the start parameter to myportal/control/showPortalPage (4) an invalid URI beginning with /facility/control/ReceiveReturn (aka /crmsfa/control/ReceiveReturn or /cms/control/ReceiveReturn) (5) the contentId parameter (aka the entityName variable) to ecommerce/control/ViewBlogArticle (6) the entityName parameter to webtools/control/FindGeneric or the (7) subject or (8) content parameter to an unspecified component under ecommerce/control/contactus.

Reference

http://svn.apache.org/viewvc?view=revision&revision=920369 http://svn.apache.org/viewvc?view=revision&revision=920370 http://svn.apache.org/viewvc?view=revision&revision=920371 http://svn.apache.org/viewvc?view=revision&revision=920372 http://svn.apache.org/viewvc?view=revision&revision=920379 http://svn.apache.org/viewvc?view=revision&revision=920380 http://svn.apache.org/viewvc?view=revision&revision=920381 http://svn.apache.org/viewvc?view=revision&revision=920382 http://www.bonsai-sec.com/en/research/vulnerabilities/apacheofbiz-multiple-xss-0103.php http://www.securityfocus.com/bid/39489