CVE-2016-4462
high
CVSS v3
8.8
CVSS v2
6.5
VIR risk
8.8
Description
By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01
Predictions
Exploit likelihood
92%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| apache | ofbiz | 11.04.02 | |
| apache | ofbiz | 11.04 | |
| apache | ofbiz | 11.04.01 | |
| apache | ofbiz | 11.04.03 | |
| apache | ofbiz | 11.04.04 | |
| apache | ofbiz | 11.04.05 | |
| apache | ofbiz | 11.04.06 | |
| apache | ofbiz | 12.04 | |
| apache | ofbiz | 12.04.01 | |
| apache | ofbiz | 12.04.02 | |
| apache | ofbiz | 12.04.03 | |
| apache | ofbiz | 12.04.04 | |
| apache | ofbiz | 12.04.05 | |
| apache | ofbiz | 12.04.06 | |
| apache | ofbiz | 13.07 | |
| apache | ofbiz | 13.07.01 | |
| apache | ofbiz | 13.07.02 | |
| apache | ofbiz | 13.07.03 | |
References
CWEs
CWE-20
Verify integrity in audit chain (admin only). AS-IS.