CVE-2016-4462

By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
VendorProductVersion
apacheofbiz
11.04
apacheofbiz
11.04.01
apacheofbiz
11.04.02
apacheofbiz
11.04.03
apacheofbiz
11.04.04
apacheofbiz
11.04.05
apacheofbiz
11.04.06
apacheofbiz
12.04
apacheofbiz
12.04.01
apacheofbiz
12.04.02
apacheofbiz
12.04.03
apacheofbiz
12.04.04
apacheofbiz
12.04.05
apacheofbiz
12.04.06
apacheofbiz
13.07
apacheofbiz
13.07.01
apacheofbiz
13.07.02
apacheofbiz
13.07.03
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://git.net/ml/dev.ofbiz.apache.org/2016-11/msg00180.html
http://git.net/ml/dev.ofbiz.apache.org/2016-11/msg00180.html