You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Jacopo Cappellato <ja...@apache.org> on 2019/09/10 22:29:27 UTC
[CVE-2019-10074] Apache OFBiz RCE (template injection)
Severity:
Important
Vendor:
The Apache Software Foundation
Versions Affected:
OFBiz 16.11.01 to 16.11.05
An RCE is possible by entering Freemarker markup in an OFBiz Form Widget
textarea field when encoding has been disabled on such a field. This was
the case for the Customer Request "story" input in the Order Manager
application. Encoding should not be disabled without good reason and never
within a field that accepts user input.
Mitigation:
Upgrade to 16.11.06
or manually apply the following commit on branch 16.11:
r1858533
----
Credit:
Niels Heinen of the Google security team <he...@google.com>
References:
http://ofbiz.apache.org/download.html#vulnerabilities