CVE-2022-25813Improper Neutralization of Special Elements Used in a Template Engine in Apache Ofbiz

CWE-1336Improper Neutralization of Special Elements Used in a Template EngineCWE-94Code Injection4 documents4 sources
Severity
7.5HIGHNVD
EPSS
60.3%
top 1.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache OfbizApache Software Foundation Apache Ofbiz
Timeline
PublishedSep 2
Latest updateSep 3

Description

In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDapache/ofbiz< 18.12.06
CVEListV5apache_software_foundation/apache_ofbizApache OFBiz18.12.05

Patches

Patch: www.openwall.comPatch: lists.apache.orgPatch: www.openwall.com

🔴Vulnerability Details

2
GHSA
GHSA-wrch-3crx-rcpq: In Apache OFBiz, versions 182022-09-03
CVEList
Server-Side Template Injection affecting the ecommerce plugin of Apache OFBiz2022-09-02

📋Vendor Advisories

1
Apache
Apache ofbiz: CVE-2022-25813
CVE-2022-25813 — Apache Ofbiz vulnerability | cvebase