CVE-2019-10074

An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*

History

07 Nov 2023, 03:02

Type Values Removed Values Added
References
  • {'url': 'https://lists.apache.org/thread.html/a02aaa4c19dfd520807cf6b106b71aad0131a6543f7f60802ae71ec2@%3Cnotifications.ofbiz.apache.org%3E', 'name': '[ofbiz-notifications] 20190913 [jira] [Updated] (OFBIZ-11006) Create customer request screen breaks when entering special characters (CVE-2019-10074)', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}
  • () https://lists.apache.org/thread.html/a02aaa4c19dfd520807cf6b106b71aad0131a6543f7f60802ae71ec2%40%3Cnotifications.ofbiz.apache.org%3E -

Information

Published : 2019-09-11 21:15

Updated : 2024-02-28 17:08


NVD link : CVE-2019-10074

Mitre link : CVE-2019-10074

CVE.ORG link : CVE-2019-10074


JSON object : View

Products Affected

apache

  • ofbiz
CWE
CWE-116

Improper Encoding or Escaping of Output

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')