Author: jleroux Revision: 1759218 Modified property: svn:log Modified: svn:log at Tue Nov 29 08:26:35 2016 ------------------------------------------------------------------------------ --- svn:log (original) +++ svn:log Tue Nov 29 08:26:35 2016 @@ -1 +1,10 @@ Completed the fix for securing the management of blog entries by preventing tags to be added to the content of an entry when it is updated. + +[CVE-2016-6800] Apache OFBiz blog stored XSS vulnerability +The default configuration of the OFBiz framework offers a blog +functionality. Different users are able to operate blogs which are +related to specific parties. In the form field for the creation of new +blog articles the user input of the summary field as well as the article +field is not properly sanitized. It is possible to inject arbitrary +JavaScript code in these form fields. This code gets executed from the +browser of every user who is visiting this article.
