Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.19. Users are recommended to upgrade to version 18.12.19, which fixes the issue.
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
| Link | Tags |
|---|---|
| https://ofbiz.apache.org/download.html | mitigation release notes product |
| https://ofbiz.apache.org/security.html | patch vendor advisory |
| https://issues.apache.org/jira/browse/OFBIZ-13219 | patch issue tracking |
| https://lists.apache.org/thread/8d718qt8dqthnw1gmyxsq8glfdjklnjf | vendor advisory mailing list |
| http://www.openwall.com/lists/oss-security/2025/04/01/5 | mailing list |