[SECURITY] CVE-2016-4462 OFBiz template remote code vulnerability

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[SECURITY] CVE-2016-4462 OFBiz template remote code vulnerability

jacopoc
Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz 13.07.*
OFBiz 12.04.*
OFBiz 11.04.*

Description:
By manipulating the URL parameter externalLoginKey, a malicious, logged in
user could pass valid Freemarker directives to the Template Engine that are
reflected on the webpage; a specially crafted Freemarker template could be
used for remote code execution.

Mitigation:
Upgrade to 16.11.01

Credit: Rick Radewagen, ERNW GmbH

References:
http://ofbiz.apache.org/download.html#vulnerabilities