[
https://issues.apache.org/jira/browse/OFBIZ-11871?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-11871:
------------------------------------
Description:
Alvaro Munoz <pwntes...@github.com> from the GitHub Security Lab
(security...@github.com) reported a Server-Side Template Injection that uses
"Static" to the OFBiz security team, and we thank him for that.
I'll later quote here his email message when the vulnerability will be fixed.
It's a post-auth vulnerability so we did not ask for a CVE.
Note: this vulnerabitly leads to Remote Code Execution (RCE)
was:
Alvaro Munoz <pwntes...@github.com> from the GitHub Security Lab
(security...@github.com) reported a Server-Side Template Injection on
"renderSortField" to the OFBiz security team, and we thank him for that.
I'll later quote here his email message when the vulnerability will be fixed.
It's a post-auth vulnerability so we did not ask for a CVE.
Note: this vulnerabitly leads to Remote Code Execution (RCE)
> Server-Side Template Injection using Static
> -------------------------------------------
>
> Key: OFBIZ-11871
> URL: https://issues.apache.org/jira/browse/OFBIZ-11871
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Affects Versions: 17.12.03
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
>
> Alvaro Munoz <pwntes...@github.com> from the GitHub Security Lab
> (security...@github.com) reported a Server-Side Template Injection that uses
> "Static" to the OFBiz security team, and we thank him for that.
> I'll later quote here his email message when the vulnerability will be fixed.
> It's a post-auth vulnerability so we did not ask for a CVE.
> Note: this vulnerabitly leads to Remote Code Execution (RCE)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
