You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Jacques Le Roux <jl...@apache.org> on 2022/09/02 06:17:27 UTC
Subject: Apache OFBiz - Server-Side Template Injection (CVE-2022-25813)
Severity:
High (SSTI then possible RCE)
Vendor:
The Apache Software Foundation
Versions Affected:
OFBiz versions prior to 18.12.06
Description:
As an ecommerce anonymous client, an external attacker can insert a malicious
content in a message “Subject” field from the "Contact us" page. Then a party
manager needs to list the communications in the party component to activate
the SSTI. A RCE is then possible.
Mitigation:
Upgrade to at least 18.12.06
or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12594
Credit:
Matei "Mal" Badanoiu
References:
http://ofbiz.apache.org/download.html#vulnerabilities