vulnerability
Apache OFBiz: CVE-2022-25370: Cross-site Scripting vulnerability.
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:M/Au:S/C:P/I:P/A:N) | Sep 2, 2022 | Dec 23, 2024 | Apr 28, 2026 |
Severity
5
CVSS
(AV:N/AC:M/Au:S/C:P/I:P/A:N)
Published
Sep 2, 2022
Added
Dec 23, 2024
Modified
Apr 28, 2026
Description
Apache ofbiz uses the birt plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. in apache ofbiz release 18.12.05, and earlier versions, by leveraging a vulnerability in birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142), an unauthenticated malicious user could perform a stored xss attack in order to inject a malicious payload and execute it using the stored xss.
Solution
apache-ofbiz-upgrade-latest
References
- CWE-79
- CVE-2022-25370
- https://attackerkb.com/topics/CVE-2022-25370
- http://www.openwall.com/lists/oss-security/2022/09/02/8
- http://www.openwall.com/lists/oss-security/2022/09/03/1
- https://lists.apache.org/thread/vrvzokvxqtc4t6d7g8xgz89xpxcvjofh
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-30041
- https://github.com/eclipse/birt/issues/625
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.