CVE-2019-10074

Name of the Vulnerable Software and Affected Versions: Apache OFBiz versions prior to 16.11.06

Description: A remote code execution (RCE) issue is possible when Freemarker markup is entered in a textarea field of an Apache OFBiz Form Widget, specifically when encoding has been disabled on such a field. This was identified in the Customer Request "story" input within the Order Manager application. It is advised that encoding should not be disabled without a valid reason, especially within fields that accept user input.

Recommendations: For versions prior to 16.11.06, upgrade to 16.11.06 or manually apply the commit r1858533 on branch 16.11 as a mitigation measure.