PT-2024-8602 · Apache · Apache Ofbiz

Marimoo.Eth

Published

2024-11-16

Updated

2024-11-21

CVE-2024-48962

CVSS v4.0

8.9

High

Vector

AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N/R:U/V:C/RE:H/U:Amber

Name of the Vulnerable Software and Affected Versions Apache OFBiz versions prior to 18.12.17

Description The issue is related to improper control of code generation, allowing for code injection, and also involves cross-site request forgery (CSRF) and improper neutralization of special elements used in a template engine. This could potentially enable a remote attacker to perform a server-side request forgery (SSRF) attack.

Recommendations For versions prior to 18.12.17, upgrade to version 18.12.17 to fix the issue. As a temporary workaround, consider restricting access to vulnerable components until the upgrade can be applied.

Fix

Code Injection

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1336CWE-94CWE-352

Related Identifiers

BDU:2024-10171

CVE-2024-48962

Affected Products

Apache Ofbiz

PT-2024-8602 · Apache · Apache Ofbiz

CVE-2024-48962

Weakness Enumeration

Related Identifiers

Affected Products

References · 21