CVE-2016-4462

Name of the Vulnerable Software and Affected Versions Apache OFBiz versions prior to 16.11.01

Description The issue allows a malicious, logged-in user to manipulate the externalLoginKey URL parameter to pass valid Freemarker directives to the Template Engine, which are then reflected on the webpage. This could be exploited using a specially crafted Freemarker template for remote code execution.

Recommendations For versions prior to 16.11.01, upgrade to Apache OFBiz 16.11.01 to resolve the issue. As a temporary workaround, consider restricting access to the externalLoginKey parameter in the affected URL to minimize the risk of exploitation.