You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ofbiz.apache.org by Jacopo Cappellato <ja...@apache.org> on 2016/11/29 06:57:57 UTC

[SECURITY] CVE-2016-4462 OFBiz template remote code vulnerability

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz 13.07.*
OFBiz 12.04.*
OFBiz 11.04.*

Description:
By manipulating the URL parameter externalLoginKey, a malicious, logged in
user could pass valid Freemarker directives to the Template Engine that are
reflected on the webpage; a specially crafted Freemarker template could be
used for remote code execution.

Mitigation:
Upgrade to 16.11.01

Credit: Rick Radewagen, ERNW GmbH

References:
http://ofbiz.apache.org/download.html#vulnerabilities