CVE-2022-25813

Name of the Vulnerable Software and Affected Versions Apache OFBiz versions 18.12.05 and earlier

Description The issue allows an attacker, acting as an anonymous user of the ecommerce plugin, to insert malicious content in the "Subject" field of a message from the "Contact us" page. This can lead to a Server-Side Template Injection (SSTI) when a party manager lists communications in the party component, potentially resulting in Remote Code Execution (RCE).

Recommendations For Apache OFBiz versions 18.12.05 and earlier, consider restricting access to the "Contact us" page or validating and sanitizing user input in the "Subject" field to prevent malicious content insertion. As a temporary workaround, restrict the ability of anonymous users to send messages through the ecommerce plugin until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.