{"containers":{"cna":{"affected":[{"product":"Apache OFBiz","vendor":"n/a","versions":[{"status":"affected","version":"Apache OFBiz 17.12.03"}]}],"descriptions":[{"lang":"en","value":"XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03"}],"problemTypes":[{"descriptions":[{"description":"XSS Vulnerability","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2021-08-04T15:06:12.000Z","orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache"},"references":[{"tags":["x_refsource_MISC"],"url":"https://s.apache.org/l0994"},{"name":"[announce] 20200715 [CVE-2020-9496] Apache OFBiz XML-RPC requests vulnerable without authentication","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/raf6020f765f12711e817ce13df63ecd7d677eebea8001e0473ee7c84%40%3Cannounce.apache.org%3E"},{"name":"[ofbiz-notifications] 20200716 [jira] [Updated] (OFBIZ-11716) Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496)","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/rde93e1c91620335b72b798f78ab4459d3f7b06f96031d8ce86a18825%40%3Cnotifications.ofbiz.apache.org%3E"},{"tags":["x_refsource_MISC"],"url":"http://packetstormsecurity.com/files/158887/Apache-OFBiz-XML-RPC-Java-Deserialization.html"},{"name":"[ofbiz-user] 20201116 [CVE-2020-9496] Apache OFBiz unsafe deserialization of XMLRPC arguments","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r8fb319dc1f196563955fbf5e9cf454fb9d6c27c2058066445af7f8cb%40%3Cuser.ofbiz.apache.org%3E"},{"name":"[ofbiz-user] 20201117 Re: [CVE-2020-9496] Apache OFBiz unsafe deserialization of XMLRPC arguments","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/ra43cfe80226c3b23cd775f3543da10c035ad9c9943cfe8a680490730%40%3Cuser.ofbiz.apache.org%3E"},{"tags":["x_refsource_MISC"],"url":"http://packetstormsecurity.com/files/161769/Apache-OFBiz-XML-RPC-Java-Deserialization.html"},{"name":"[ofbiz-commits] 20210321 [ofbiz-site] branch master updated: Updates security page for CVE-2021-26295 fixed in 17.12.06","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r0a0a701610b3bcdf14634047313adab3f1628bb9aa55cf29cd262ef5%40%3Ccommits.ofbiz.apache.org%3E"},{"name":"[ofbiz-commits] 20210427 [ofbiz-site] branch master updated: Updates security page for CVE-2021-29200 and 30128 fixed in 17.12.07","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3E"},{"tags":["x_refsource_MISC"],"url":"http://packetstormsecurity.com/files/163730/Apache-OfBiz-17.12.01-Remote-Command-Execution.html"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","ID":"CVE-2020-9496","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache OFBiz","version":{"version_data":[{"version_value":"Apache OFBiz 17.12.03"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"XSS Vulnerability"}]}]},"references":{"reference_data":[{"name":"https://s.apache.org/l0994","refsource":"MISC","url":"https://s.apache.org/l0994"},{"name":"[announce] 20200715 [CVE-2020-9496] Apache OFBiz XML-RPC requests vulnerable without authentication","refsource":"MLIST","url":"https://lists.apache.org/thread.html/raf6020f765f12711e817ce13df63ecd7d677eebea8001e0473ee7c84@%3Cannounce.apache.org%3E"},{"name":"[ofbiz-notifications] 20200716 [jira] [Updated] (OFBIZ-11716) Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496)","refsource":"MLIST","url":"https://lists.apache.org/thread.html/rde93e1c91620335b72b798f78ab4459d3f7b06f96031d8ce86a18825@%3Cnotifications.ofbiz.apache.org%3E"},{"name":"http://packetstormsecurity.com/files/158887/Apache-OFBiz-XML-RPC-Java-Deserialization.html","refsource":"MISC","url":"http://packetstormsecurity.com/files/158887/Apache-OFBiz-XML-RPC-Java-Deserialization.html"},{"name":"[ofbiz-user] 20201116 [CVE-2020-9496] Apache OFBiz unsafe deserialization of XMLRPC arguments","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r8fb319dc1f196563955fbf5e9cf454fb9d6c27c2058066445af7f8cb@%3Cuser.ofbiz.apache.org%3E"},{"name":"[ofbiz-user] 20201117 Re: [CVE-2020-9496] Apache OFBiz unsafe deserialization of XMLRPC arguments","refsource":"MLIST","url":"https://lists.apache.org/thread.html/ra43cfe80226c3b23cd775f3543da10c035ad9c9943cfe8a680490730@%3Cuser.ofbiz.apache.org%3E"},{"name":"http://packetstormsecurity.com/files/161769/Apache-OFBiz-XML-RPC-Java-Deserialization.html","refsource":"MISC","url":"http://packetstormsecurity.com/files/161769/Apache-OFBiz-XML-RPC-Java-Deserialization.html"},{"name":"[ofbiz-commits] 20210321 [ofbiz-site] branch master updated: Updates security page for CVE-2021-26295 fixed in 17.12.06","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r0a0a701610b3bcdf14634047313adab3f1628bb9aa55cf29cd262ef5@%3Ccommits.ofbiz.apache.org%3E"},{"name":"[ofbiz-commits] 20210427 [ofbiz-site] branch master updated: Updates security page for CVE-2021-29200 and 30128 fixed in 17.12.07","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d@%3Ccommits.ofbiz.apache.org%3E"},{"name":"http://packetstormsecurity.com/files/163730/Apache-OfBiz-17.12.01-Remote-Command-Execution.html","refsource":"MISC","url":"http://packetstormsecurity.com/files/163730/Apache-OfBiz-17.12.01-Remote-Command-Execution.html"}]}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T10:34:37.912Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://s.apache.org/l0994"},{"name":"[announce] 20200715 [CVE-2020-9496] Apache OFBiz XML-RPC requests vulnerable without authentication","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/raf6020f765f12711e817ce13df63ecd7d677eebea8001e0473ee7c84%40%3Cannounce.apache.org%3E"},{"name":"[ofbiz-notifications] 20200716 [jira] [Updated] (OFBIZ-11716) Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496)","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/rde93e1c91620335b72b798f78ab4459d3f7b06f96031d8ce86a18825%40%3Cnotifications.ofbiz.apache.org%3E"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://packetstormsecurity.com/files/158887/Apache-OFBiz-XML-RPC-Java-Deserialization.html"},{"name":"[ofbiz-user] 20201116 [CVE-2020-9496] Apache OFBiz unsafe deserialization of XMLRPC arguments","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r8fb319dc1f196563955fbf5e9cf454fb9d6c27c2058066445af7f8cb%40%3Cuser.ofbiz.apache.org%3E"},{"name":"[ofbiz-user] 20201117 Re: [CVE-2020-9496] Apache OFBiz unsafe deserialization of XMLRPC arguments","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/ra43cfe80226c3b23cd775f3543da10c035ad9c9943cfe8a680490730%40%3Cuser.ofbiz.apache.org%3E"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://packetstormsecurity.com/files/161769/Apache-OFBiz-XML-RPC-Java-Deserialization.html"},{"name":"[ofbiz-commits] 20210321 [ofbiz-site] branch master updated: Updates security page for CVE-2021-26295 fixed in 17.12.06","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r0a0a701610b3bcdf14634047313adab3f1628bb9aa55cf29cd262ef5%40%3Ccommits.ofbiz.apache.org%3E"},{"name":"[ofbiz-commits] 20210427 [ofbiz-site] branch master updated: Updates security page for CVE-2021-29200 and 30128 fixed in 17.12.07","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3E"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://packetstormsecurity.com/files/163730/Apache-OfBiz-17.12.01-Remote-Command-Execution.html"}]}]},"cveMetadata":{"assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","assignerShortName":"apache","cveId":"CVE-2020-9496","datePublished":"2020-07-15T15:39:31.000Z","dateReserved":"2020-03-01T00:00:00.000Z","dateUpdated":"2024-08-04T10:34:37.912Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}