Описание
In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible.
Ссылки
- Mailing ListPatchThird Party Advisory
- Mailing ListPatchVendor Advisory
- Mailing ListPatchThird Party Advisory
- Mailing ListPatchVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 18.12.06 (исключая)
cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
EPSS
Процентиль: 98%
0.57511
Средний
7.5 High
CVSS3
Дефекты
CWE-1336
CWE-94
Связанные уязвимости
CVSS3: 7.5
github
больше 3 лет назад
In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible.
EPSS
Процентиль: 98%
0.57511
Средний
7.5 High
CVSS3
Дефекты
CWE-1336
CWE-94