Date: Tue, 10 Sep 2019 15:29:27 -0700 From: Jacopo Cappellato <jacopoc@...che.org> To: "user@...iz.apache.org ML" <user@...iz.apache.org>, Dev list <dev@...iz.apache.org>, announce@...che.org, security@...iz.apache.org, oss-security@...ts.openwall.com, heinenn@...gle.com Subject: [CVE-2019-10074] Apache OFBiz RCE (template injection) Severity: Important Vendor: The Apache Software Foundation Versions Affected: OFBiz 16.11.01 to 16.11.05 An RCE is possible by entering Freemarker markup in an OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533 ---- Credit: Niels Heinen of the Google security team <heinenn@...gle.com> References: http://ofbiz.apache.org/download.html#vulnerabilities
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.