CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2019-10074

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0230%
EPSS Percentile39.10th
Published2019年9月11日
Last Modified2024年11月21日

Vulnerability Description

An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533

Affected Platforms (CPE)

📦
Apache

Ofbiz

>= 16.11.01 and <= 16.11.05

References & Advisories

🔗 https://lists.apache.org/thread.html/a02aaa4c19dfd520807cf6b106b71aad0131a6543f7f60802ae71ec2%40%3Cnotifications.ofbiz.apache.org%3E
🔗 https://s.apache.org/r49vw
🔗 https://lists.apache.org/thread.html/a02aaa4c19dfd520807cf6b106b71aad0131a6543f7f60802ae71ec2%40%3Cnotifications.ofbiz.apache.org%3E
🔗 https://s.apache.org/r49vw

相關漏洞威脅

CVE-2013-225010.0

Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote atta...

CVE-2012-350610.0

Unspecified vulnerability in the Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.03 has unknown impact and attac...

CVE-2018-172009.8

The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtool...

CVE-2019-01899.8

The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/htt...