Multiple vulnerabilities in OFBiz
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2016-4462 CVE-2016-6800 |
| CWE-ID | CWE-20 CWE-79 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
OFBiz Other software / Other software solutions |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU38375
Risk: High
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2016-4462
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to execute arbitrary code.
By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01
MitigationInstall update from vendor's website.
Vulnerable software versionsOFBiz: 11.04 - 13.07.03
CPE2.3- cpe:2.3:a:apache_foundation:ofbiz:11.04:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:ofbiz:11.04.01:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:ofbiz:11.04.02:*:*:*:*:*:*:*
https://git.net/ml/dev.ofbiz.apache.org/2016-11/msg00180.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site scripting
EUVDB-ID: #VU38376
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-6800
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs which are related to specific parties. In the form field for the creation of new blog articles the user input of the summary field as well as the article field is not properly sanitized. It is possible to inject arbitrary JavaScript code in these form fields. This code gets executed from the browser of every user who is visiting this article. Mitigation: Upgrade to Apache OFBiz 16.11.01.
MitigationInstall update from vendor's website.
Vulnerable software versionsOFBiz: 11.04 - 13.07.03
CPE2.3- cpe:2.3:a:apache_foundation:ofbiz:11.04:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:ofbiz:11.04.01:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:ofbiz:11.04.02:*:*:*:*:*:*:*
https://lists.apache.org/thread.html/28987cffe0237fa67eca9de8bbbc04a917ac8785342ad9e5a196c978@%3Cuser.ofbiz.apache.org%3E
https://s.apache.org/Owsz
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
