vulnerability
Apache OFBiz: CVE-2019-10074: Remote Code Execution (RCE) vulnerability.
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Sep 11, 2019 | Dec 23, 2024 | Nov 28, 2025 |
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Sep 11, 2019
Added
Dec 23, 2024
Modified
Nov 28, 2025
Description
An rce is possible by entering freemarker markup in an apache ofbiz form widget textarea field when encoding has been disabled on such a field. this was the case for the customer request "story" input in the order manager application. encoding should not be disabled without good reason and never within a field that accepts user input. mitigation: upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533
Solution
apache-ofbiz-upgrade-latest
References
- CWE-74
- CWE-116
- CVE-2019-10074
- https://attackerkb.com/topics/CVE-2019-10074
- URL-https://lists.apache.org/thread.html/a02aaa4c19dfd520807cf6b106b71aad0131a6543f7f60802ae71ec2%40%3Cnotifications.ofbiz.apache.org%3E
- URL-https://s.apache.org/r49vw
- URL-https://svn.apache.org/viewvc?view=revision&revision=1858533
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.