Description
Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue.
References (5)
Core 5
Core References
Product mitigation
release-notes
product
https://ofbiz.apache.org/download.html
Vendor Advisory patch
https://ofbiz.apache.org/security.html
Issue Tracking issue-tracking
https://issues.apache.org/jira/browse/OFBIZ-13162
Mailing List vendor-advisory
https://lists.apache.org/thread/6sddh4pts90cp8ktshqb4xykdp6lb6q6
Scores
CVSS v3
8.8
EPSS
0.0061
EPSS Percentile
44.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-352
CWE-94
CWE-1336
Status
published
Products (2)
apache/ofbiz
< 18.12.17
Apache Software Foundation/Apache OFBiz
< 18.12.17
Published
Nov 18, 2024
Tracked Since
Feb 18, 2026