CVE-2019-10074 — Injection in Apache Ofbiz

CWE-74 — Injection CWE-116 — Improper Encoding or Escaping of Output CWE-20 — Improper Input Validation4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

1.1%

top 21.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Ofbiz

Timeline

PublishedSep 11

Latest updateMay 24

Description

An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/ofbiz16.11.01 — 16.11.05

▶CVEListV5apache/ofbizOFBiz 16.11.01 to 16.11.05

🔴Vulnerability Details

GHSA

GHSA-5wmc-72c6-q9wj: An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field↗2022-05-24

▶

CVEList

CVE-2019-10074: An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field↗2019-09-11

▶

📋Vendor Advisories

Apache

Apache ofbiz: CVE-2019-10074↗

▶