You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by Jacques Le Roux <jl...@apache.org> on 2022/09/02 06:17:27 UTC

Subject: Apache OFBiz - Server-Side Template Injection (CVE-2022-25813)

Severity:
High (SSTI then possible RCE)

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz versions prior to 18.12.06

Description:
As an ecommerce anonymous client, an external attacker can insert a malicious
content in a message “Subject” field from the "Contact us" page. Then a party
manager needs to list the communications in the party component to activate
the SSTI. A RCE is then possible.

Mitigation:
Upgrade to at least 18.12.06
or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12594

Credit:
Matei "Mal" Badanoiu

References:
http://ofbiz.apache.org/download.html#vulnerabilities