What is CVE-2022-25813?

CVE-2022-25813 is a vulnerability in Apache OFBiz versions 18.12.05 and earlier that allows an attacker to insert malicious content in the "Subject" field of a "Contact us" message, leading to server-side template injection (SSTI).

How does CVE-2022-25813 affect Apache OFBiz?

CVE-2022-25813 affects Apache OFBiz versions 18.12.05 and earlier, enabling an attacker to exploit server-side template injection through the ecommerce plugin's "Contact us" feature.

What is the severity of CVE-2022-25813?

CVE-2022-25813 has a severity rating of 7.5 (high).

How can an attacker exploit CVE-2022-25813?

An attacker can exploit CVE-2022-25813 by acting as an anonymous user of the ecommerce plugin, inserting malicious content in the "Subject" field of a "Contact us" message to trigger server-side template injection.

Is there a fix available for CVE-2022-25813?

Yes, a fix is available for CVE-2022-25813 in Apache OFBiz version 18.12.06, which addresses the vulnerability.

Vulnerability/
CVE-2022-25813

high

7.5

CWE

94 1336

2/9/2022

3/8/2024

CVE-2022-25813: Server-Side Template Injection affecting the ecommerce plugin of Apache OFBiz

First published: Fri Sep 02 2022(Updated: )

In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible.

Credit: security@apache.org

Affected Software	Affected Version	How to fix
Apache OFBiz	<18.12.06

Remedy

http://www.openwall.com/lists/oss-security/2022/09/02/4

Remedy

https://lists.apache.org/thread/vmj5s0qb59t0lvzf3vol3z1sc3sgyb2b

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-25813?
CVE-2022-25813 is a vulnerability in Apache OFBiz versions 18.12.05 and earlier that allows an attacker to insert malicious content in the "Subject" field of a "Contact us" message, leading to server-side template injection (SSTI).
How does CVE-2022-25813 affect Apache OFBiz?
CVE-2022-25813 affects Apache OFBiz versions 18.12.05 and earlier, enabling an attacker to exploit server-side template injection through the ecommerce plugin's "Contact us" feature.
What is the severity of CVE-2022-25813?
CVE-2022-25813 has a severity rating of 7.5 (high).
How can an attacker exploit CVE-2022-25813?
An attacker can exploit CVE-2022-25813 by acting as an anonymous user of the ecommerce plugin, inserting malicious content in the "Subject" field of a "Contact us" message to trigger server-side template injection.
Is there a fix available for CVE-2022-25813?
Yes, a fix is available for CVE-2022-25813 in Apache OFBiz version 18.12.06, which addresses the vulnerability.

collector/nvd-index
agent/references
agent/type
agent/remedy
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/weakness
agent/severity
agent/author
agent/title
agent/description
agent/first-publish-date
agent/event
agent/tags
agent/source
vendor/apache
canonical/apache ofbiz

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.