Vendor:
The Apache Software Foundation
Versions Affected:
OFBiz 13.07.*
OFBiz 12.04.*
OFBiz 11.04.*
Description:
By manipulating the URL parameter externalLoginKey, a malicious, logged in
user could pass valid Freemarker directives to the Template Engine that are
reflected on the webpage; a specially crafted Freemarker template could be
used for remote code execution.
Mitigation:
Upgrade to 16.11.01
Credit: Rick Radewagen, ERNW GmbH
References:
http://ofbiz.apache.org/download.html#vulnerabilities
Locked
