CVE-2019-10074
First published: Wed Sep 11 2019(Updated: )
An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache OFBiz | >=16.11.01<=16.11.05 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-10074?
CVE-2019-10074 is a vulnerability that allows remote code execution (RCE) in Apache OFBiz due to the presence of Freemarker markup in a textarea field with disabled encoding.
How severe is CVE-2019-10074?
CVE-2019-10074 has a severity rating of 9.8 (critical).
Which software versions are affected by CVE-2019-10074?
Apache OFBiz versions 16.11.01 to 16.11.05 are affected by CVE-2019-10074.
What is the impact of CVE-2019-10074?
CVE-2019-10074 allows an attacker to execute remote code on the affected Apache OFBiz instance.
How can CVE-2019-10074 be fixed?
To fix CVE-2019-10074, it is recommended to enable encoding on all textarea fields in Apache OFBiz and update to a patched version.
- collector/nvd-index
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/severity
- agent/last-modified-date
- agent/references
- agent/description
- agent/first-publish-date
- agent/tags
- agent/event
- agent/source
- vendor/apache
- canonical/apache ofbiz
- version/apache ofbiz/16.11.01
- version/apache ofbiz/16.11.05