CyberSec.Space Logo
Back to CVE Browser

CVE-2019-10074

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0230%
EPSS Percentile39.10th
PublishedSep 11, 2019
Last ModifiedNov 21, 2024

Vulnerability Description

An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533

Affected Platforms (CPE)

πŸ“¦
Apache

Ofbiz

>= 16.11.01 and <= 16.11.05

References & Advisories

πŸ”— https://lists.apache.org/thread.html/a02aaa4c19dfd520807cf6b106b71aad0131a6543f7f60802ae71ec2%40%3Cnotifications.ofbiz.apache.org%3E
πŸ”— https://s.apache.org/r49vw
πŸ”— https://lists.apache.org/thread.html/a02aaa4c19dfd520807cf6b106b71aad0131a6543f7f60802ae71ec2%40%3Cnotifications.ofbiz.apache.org%3E
πŸ”— https://s.apache.org/r49vw

Related Vulnerabilities

CVE-2013-225010.0

Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote atta...

CVE-2012-350610.0

Unspecified vulnerability in the Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.03 has unknown impact and attac...

CVE-2018-172009.8

The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtool...

CVE-2019-01899.8

The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/htt...