cvelistv5 - cve-2025-30676

CVE-2025-30676 (GCVE-0-2025-30676)

Vulnerability from cvelistv5 – Published: 2025-04-01 14:43 – Updated: 2025-04-02 22:03

Summary

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.19. Users are recommended to upgrade to version 18.12.19, which fixes the issue.

Severity ?

No CVSS data available.

CWE

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Assigner

apache

References

URL

Tags

	https://ofbiz.apache.org/download.html	mitigationrelease-notesproduct
	https://ofbiz.apache.org/security.html	patch
	https://issues.apache.org/jira/browse/OFBIZ-13219	issue-tracking
	https://lists.apache.org/thread/8d718qt8dqthnw1gm…	vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache OFBiz	Affected: 0 , < 18.12.19 (semver)

Credits

Khaled Nassar (@mindpatch)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-30676",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-01T19:18:34.226471Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-01T19:19:46.284Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-04-02T22:03:27.945Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/04/01/5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache OFBiz",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "18.12.19",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Khaled Nassar  (@mindpatch)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 18.12.19.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.19, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.19.\n\nUsers are recommended to upgrade to version 18.12.19, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-80",
              "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-01T14:43:49.721Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "mitigation",
            "release-notes",
            "product"
          ],
          "url": "https://ofbiz.apache.org/download.html"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://ofbiz.apache.org/security.html"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://issues.apache.org/jira/browse/OFBIZ-13219"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/8d718qt8dqthnw1gmyxsq8glfdjklnjf"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache OFBiz: Stored XSS Vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-30676",
    "datePublished": "2025-04-01T14:43:49.721Z",
    "dateReserved": "2025-03-25T07:44:43.788Z",
    "dateUpdated": "2025-04-02T22:03:27.945Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-30676\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2025-04-01T15:16:07.310\",\"lastModified\":\"2025-04-29T20:52:31.980\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.\\n\\nThis issue affects Apache OFBiz: before 18.12.19.\\n\\nUsers are recommended to upgrade to version 18.12.19, which fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de neutralizaci\u00f3n incorrecta de etiquetas HTML relacionadas con scripts en una p\u00e1gina web (XSS b\u00e1sico) en Apache OFBiz. Este problema afecta a Apache OFBiz: versiones anteriores a la 18.12.19. Se recomienda actualizar a la versi\u00f3n 18.12.19, que soluciona el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-80\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"18.12.19\",\"matchCriteriaId\":\"72B590D0-2F1C-420C-BF24-B84D53838488\"}]}]}],\"references\":[{\"url\":\"https://issues.apache.org/jira/browse/OFBIZ-13219\",\"source\":\"security@apache.org\",\"tags\":[\"Patch\",\"Issue Tracking\"]},{\"url\":\"https://lists.apache.org/thread/8d718qt8dqthnw1gmyxsq8glfdjklnjf\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://ofbiz.apache.org/download.html\",\"source\":\"security@apache.org\",\"tags\":[\"Product\"]},{\"url\":\"https://ofbiz.apache.org/security.html\",\"source\":\"security@apache.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/04/01/5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/04/01/5\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-04-02T22:03:27.945Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-30676\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-01T19:18:34.226471Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-01T19:18:51.936Z\"}}], \"cna\": {\"title\": \"Apache OFBiz: Stored XSS Vulnerability\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Khaled Nassar  (@mindpatch)\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache OFBiz\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"18.12.19\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://ofbiz.apache.org/download.html\", \"tags\": [\"mitigation\", \"release-notes\", \"product\"]}, {\"url\": \"https://ofbiz.apache.org/security.html\", \"tags\": [\"patch\"]}, {\"url\": \"https://issues.apache.org/jira/browse/OFBIZ-13219\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://lists.apache.org/thread/8d718qt8dqthnw1gmyxsq8glfdjklnjf\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.\\n\\nThis issue affects Apache OFBiz: before 18.12.19.\\n\\nUsers are recommended to upgrade to version 18.12.19, which fixes the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 18.12.19.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.19, which fixes the issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-80\", \"description\": \"CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2025-04-01T14:43:49.721Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-30676\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-02T22:03:27.945Z\", \"dateReserved\": \"2025-03-25T07:44:43.788Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2025-04-01T14:43:49.721Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-VHG6-M6C8-39C2

Vulnerability from github – Published: 2025-04-01 15:31 – Updated: 2025-04-03 00:31

Details

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 18.12.19.

Users are recommended to upgrade to version 18.12.19, which fixes the issue.

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-30676"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T15:16:07Z",
    "severity": "MODERATE"
  },
  "details": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.19.\n\nUsers are recommended to upgrade to version 18.12.19, which fixes the issue.",
  "id": "GHSA-vhg6-m6c8-39c2",
  "modified": "2025-04-03T00:31:32Z",
  "published": "2025-04-01T15:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30676"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/OFBIZ-13219"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/8d718qt8dqthnw1gmyxsq8glfdjklnjf"
    },
    {
      "type": "WEB",
      "url": "https://ofbiz.apache.org/download.html"
    },
    {
      "type": "WEB",
      "url": "https://ofbiz.apache.org/security.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/04/01/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

WID-SEC-W-2025-0682

Vulnerability from csaf_certbund - Published: 2025-04-01 22:00 - Updated: 2025-04-01 22:00

Summary

Apache OFBiz: Schwachstelle ermöglicht Cross-Site Scripting

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Apache OFBiz ist eine Suite von Unternehmensanwendungen und ein Framework zur Entwicklung weiterer Anwendungen.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache OFBiz ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Apache OFBiz ist eine Suite von Unternehmensanwendungen und ein Framework zur Entwicklung weiterer Anwendungen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache OFBiz ausnutzen, um einen Cross-Site Scripting Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0682 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0682.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0682 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0682"
      },
      {
        "category": "external",
        "summary": "Apache OFBiz Security Vulnerability vom 2025-04-01",
        "url": "https://ofbiz.apache.org/security.html"
      },
      {
        "category": "external",
        "summary": "OSS Security MAiling List vom 2025-04-01",
        "url": "https://seclists.org/oss-sec/2025/q2/2"
      },
      {
        "category": "external",
        "summary": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.",
        "url": "https://github.com/advisories/GHSA-vhg6-m6c8-39c2"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache OFBiz: Schwachstelle erm\u00f6glicht Cross-Site Scripting",
    "tracking": {
      "current_release_date": "2025-04-01T22:00:00.000+00:00",
      "generator": {
        "date": "2025-04-02T10:49:45.846+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-0682",
      "initial_release_date": "2025-04-01T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-04-01T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1 8.12.19",
                "product": {
                  "name": "Apache OFBiz \u003c1 8.12.19",
                  "product_id": "T042292"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1 8.12.19",
                "product": {
                  "name": "Apache OFBiz \u003c1 8.12.19",
                  "product_id": "T042292-fixed"
                }
              }
            ],
            "category": "product_name",
            "name": "OFBiz"
          }
        ],
        "category": "vendor",
        "name": "Apache"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-30676",
      "product_status": {
        "known_affected": [
          "T042292"
        ]
      },
      "release_date": "2025-04-01T22:00:00.000+00:00",
      "title": "CVE-2025-30676"
    }
  ]
}

FKIE_CVE-2025-30676

Vulnerability from fkie_nvd - Published: 2025-04-01 15:16 - Updated: 2025-04-29 20:52

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security@apache.org	https://issues.apache.org/jira/browse/OFBIZ-13219	Patch, Issue Tracking
security@apache.org	https://lists.apache.org/thread/8d718qt8dqthnw1gmyxsq8glfdjklnjf	Mailing List
security@apache.org	https://ofbiz.apache.org/download.html	Product
security@apache.org	https://ofbiz.apache.org/security.html	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2025/04/01/5	Mailing List

Impacted products

	Vendor	Product	Version
	apache	ofbiz	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "72B590D0-2F1C-420C-BF24-B84D53838488",
              "versionEndExcluding": "18.12.19",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.19.\n\nUsers are recommended to upgrade to version 18.12.19, which fixes the issue."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de neutralizaci\u00f3n incorrecta de etiquetas HTML relacionadas con scripts en una p\u00e1gina web (XSS b\u00e1sico) en Apache OFBiz. Este problema afecta a Apache OFBiz: versiones anteriores a la 18.12.19. Se recomienda actualizar a la versi\u00f3n 18.12.19, que soluciona el problema."
    }
  ],
  "id": "CVE-2025-30676",
  "lastModified": "2025-04-29T20:52:31.980",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-04-01T15:16:07.310",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Patch",
        "Issue Tracking"
      ],
      "url": "https://issues.apache.org/jira/browse/OFBIZ-13219"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.apache.org/thread/8d718qt8dqthnw1gmyxsq8glfdjklnjf"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Product"
      ],
      "url": "https://ofbiz.apache.org/download.html"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://ofbiz.apache.org/security.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2025/04/01/5"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-80"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2025-10035

Vulnerability from cnvd - Published: 2025-05-19

Title

Apache OFBiz跨站脚本漏洞（CNVD-2025-10035）

Description

Apache OFBiz是美国阿帕奇（Apache）基金会的一套企业资源计划（ERP）系统。该系统提供了一整套基于Java的Web应用程序组件和工具。 Apache OFBiz 18.12.19之前版本存在跨站脚本漏洞，该漏洞源于应用对用户提供的数据缺乏有效过滤与转义，攻击者可利用该漏洞通过注入精心设计的有效载荷执行任意Web脚本或HTML。

Severity

中

Patch Name

Apache OFBiz跨站脚本漏洞（CNVD-2025-10035）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/8d718qt8dqthnw1gmyxsq8glfdjklnjf

Reference

https://issues.apache.org/jira/browse/OFBIZ-13219

Impacted products

Name
Apache Apache OFBiz <18.12.19

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-30676",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-30676"
    }
  },
  "description": "Apache OFBiz\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u4f01\u4e1a\u8d44\u6e90\u8ba1\u5212\uff08ERP\uff09\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u63d0\u4f9b\u4e86\u4e00\u6574\u5957\u57fa\u4e8eJava\u7684Web\u5e94\u7528\u7a0b\u5e8f\u7ec4\u4ef6\u548c\u5de5\u5177\u3002\n\nApache OFBiz 18.12.19\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u5bf9\u7528\u6237\u63d0\u4f9b\u7684\u6570\u636e\u7f3a\u4e4f\u6709\u6548\u8fc7\u6ee4\u4e0e\u8f6c\u4e49\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u6ce8\u5165\u7cbe\u5fc3\u8bbe\u8ba1\u7684\u6709\u6548\u8f7d\u8377\u6267\u884c\u4efb\u610fWeb\u811a\u672c\u6216HTML\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/8d718qt8dqthnw1gmyxsq8glfdjklnjf",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-10035",
  "openTime": "2025-05-19",
  "patchDescription": "Apache OFBiz\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u4f01\u4e1a\u8d44\u6e90\u8ba1\u5212\uff08ERP\uff09\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u63d0\u4f9b\u4e86\u4e00\u6574\u5957\u57fa\u4e8eJava\u7684Web\u5e94\u7528\u7a0b\u5e8f\u7ec4\u4ef6\u548c\u5de5\u5177\u3002\r\n\r\nApache OFBiz 18.12.19\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u5bf9\u7528\u6237\u63d0\u4f9b\u7684\u6570\u636e\u7f3a\u4e4f\u6709\u6548\u8fc7\u6ee4\u4e0e\u8f6c\u4e49\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u6ce8\u5165\u7cbe\u5fc3\u8bbe\u8ba1\u7684\u6709\u6548\u8f7d\u8377\u6267\u884c\u4efb\u610fWeb\u811a\u672c\u6216HTML\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache OFBiz\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2025-10035\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Apache OFBiz \u003c18.12.19"
  },
  "referenceLink": "https://issues.apache.org/jira/browse/OFBIZ-13219",
  "serverity": "\u4e2d",
  "submitTime": "2025-04-09",
  "title": "Apache OFBiz\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2025-10035\uff09"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-30676 (GCVE-0-2025-30676)

GHSA-VHG6-M6C8-39C2

WID-SEC-W-2025-0682

FKIE_CVE-2025-30676

CNVD-2025-10035

Tags

Sightings

Nomenclature