CVE-2025-30676: 
Apache OFBiz vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was identified in Apache OFBiz, tracked as CVE-2025-30676. The vulnerability is characterized as an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) and affects Apache OFBiz versions before 18.12.19. The vulnerability was discovered by Khaled Nassar (@mindpatch) and was disclosed in April 2025 (OSS Security).

The vulnerability is classified as a moderate severity issue with a CVSS v3.1 Base Score of 6.1 (Medium). The attack vector is characterized as Network (N) with Low attack complexity (L), requiring no privileges (N) but user interaction (R). The scope is changed (C) with Low confidentiality (L) and integrity (L) impact, and no availability impact (N) (NVD).

The vulnerability could allow attackers to execute malicious scripts in the context of the affected web application, potentially leading to theft of sensitive information, session hijacking, or other client-side attacks (OSS Security).

Users are strongly recommended to upgrade to Apache OFBiz version 18.12.19, which contains the fix for this vulnerability. The fix was implemented through multiple commits: ddfe3727b1, e7b7ae0eaa, and dba044c706 (Apache Security).