[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [CVE-2019-10074] Apache OFBiz RCE (template injection)
From:       Jacopo Cappellato <jacopoc () apache ! org>
Date:       2019-09-10 22:29:27
Message-ID: CAEvdU_1YsVy-7xZNn-uHDjzsbsUHvQNL-8ue5Dzb2q1kaF1UdA () mail ! gmail ! com
[Download RAW message or body]


Severity:
Important

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz 16.11.01 to 16.11.05

An RCE is possible by entering Freemarker markup in an OFBiz Form Widget
textarea field when encoding has been disabled on such a field.  This was
the case for the Customer Request "story" input in the Order Manager
application.  Encoding should not be disabled without good reason and never
within a field that accepts user input.


Mitigation:
Upgrade to 16.11.06
or manually apply the following commit on branch 16.11:
r1858533
----

Credit:
Niels Heinen of the Google security team <heinenn@google.com>

References:
http://ofbiz.apache.org/download.html#vulnerabilities


[prev in list] [next in list] [prev in thread] [next in thread]