8.8
CVSSv3

CVE-2016-4462

CVSSv4: NA | CVSSv3: 8.8 | CVSSv2: 6.5 | VMScore: 980 | EPSS: 0.0016 | KEV: Not Included
Published: 30/08/2017 Updated: 21/11/2024

Vulnerability Summary

By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache ofbiz 11.04

apache ofbiz 11.04.01

apache ofbiz 11.04.02

apache ofbiz 11.04.03

apache ofbiz 11.04.04

apache ofbiz 11.04.05

apache ofbiz 11.04.06

apache ofbiz 12.04

apache ofbiz 12.04.01

apache ofbiz 12.04.02

apache ofbiz 12.04.03

apache ofbiz 12.04.04

apache ofbiz 12.04.05

apache ofbiz 12.04.06

apache ofbiz 13.07

apache ofbiz 13.07.01

apache ofbiz 13.07.02

apache ofbiz 13.07.03