Description
By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01
Affected products
- Apache Software Foundation / Apache OFBiz13.07.* – 13.07.*
- Apache Software Foundation / Apache OFBiz12.04.* – 12.04.*
- Apache Software Foundation / Apache OFBiz11.04.* – 11.04.*