CVE-2016-4462
N/A
N/A
Summary
By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache OFBiz | 13.07.* | affected |
| Apache Software Foundation | Apache OFBiz | 12.04.* | affected |
| Apache Software Foundation | Apache OFBiz | 11.04.* | affected |
Weaknesses
- Information Disclosure
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.