PT-2019-11418 · Apache · Apache Ofbiz

Niels Heinen

Published

2019-09-11

Updated

2021-07-21

CVE-2019-10074

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Apache OFBiz versions prior to 16.11.06

Description: A remote code execution (RCE) issue is possible when Freemarker markup is entered in a textarea field of an Apache OFBiz Form Widget, specifically when encoding has been disabled on such a field. This was identified in the Customer Request "story" input within the Order Manager application. It is advised that encoding should not be disabled without a valid reason, especially within fields that accept user input.

Recommendations: For versions prior to 16.11.06, upgrade to 16.11.06 or manually apply the commit r1858533 on branch 16.11 as a mitigation measure.

Fix

RCE

Special Elements Injection

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-116

Related Identifiers

CVE-2019-10074

Affected Products

Apache Ofbiz

PT-2019-11418 · Apache · Apache Ofbiz

CVE-2019-10074

Weakness Enumeration

Related Identifiers

Affected Products

References · 4