Headline
CVE-2022-25813
In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subjectâ€? field from the “Contact us” page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible.
Email display mode:
Modern rendering
Legacy rendering
Related news
CVE-2022-47501: The Apache OFBiz® Project - Security
Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.