www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacopo Cappellato <jaco...@apache.org>
Subject [SECURITY] CVE-2016-4462 OFBiz template remote code vulnerability
Date Tue, 29 Nov 2016 06:57:57 GMT
Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz 13.07.*
OFBiz 12.04.*
OFBiz 11.04.*

Description:
By manipulating the URL parameter externalLoginKey, a malicious, logged in
user could pass valid Freemarker directives to the Template Engine that are
reflected on the webpage; a specially crafted Freemarker template could be
used for remote code execution.

Mitigation:
Upgrade to 16.11.01

Credit: Rick Radewagen, ERNW GmbH

References:
http://ofbiz.apache.org/download.html#vulnerabilities

Mime
View raw message