CVE-2024-48962

CWE-94 — Code Injection CWE-352 — Cross-Site Request Forgery (CSRF)CWE-13364 documents4 sources

Severity

8.9HIGH

EPSS

0.7%

top 28.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Ofbiz Apache Ofbiz

Timeline

PublishedNov 18

Description

Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Packages2 packages

▶NVDapache/ofbiz< 18.12.17

▶CVEListV5apache_software_foundation/apache_ofbiz< 18.12.17

🔴Vulnerability Details

GHSA

GHSA-ffrw-8p66-394j: Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a↗2024-11-18

▶

CVEList

Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE)↗2024-11-18

▶

📋Vendor Advisories

Apache

Apache ofbiz: CVE-2024-48962↗

▶