[ https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17487094#comment-17487094 ]
ASF subversion and git services commented on OFBIZ-11948: --------------------------------------------------------- Commit 036a1fde297daf6e18ccd17d5f3a21bb0a4c0ecf in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=036a1fd ] Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948) I forgot about SecurityUtilTest::webShellTokensTesting. This fixes it. Note that I expect to simplify and remove more tokens for PHP, but I have 1st other things to do... > Remote Code Execution (File Upload) Vulnerability > ------------------------------------------------- > > Key: OFBIZ-11948 > URL: https://issues.apache.org/jira/browse/OFBIZ-11948 > Project: OFBiz > Issue Type: Sub-task > Components: product/catalog > Affects Versions: Trunk, 17.12.04, 18.12.01 > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > Fix For: 17.12.05, 18.12.01 > > > Harshit Shukla harshit.sh...@gmail.com reported this RCE vulnerability to the > OFBiz security team, and we thank him for that. > I'll later quote here his email message when the vulnerability will be fixed. > It's a post-auth vulnerability so we did not ask for a CVE. -- This message was sent by Atlassian Jira (v8.20.1#820001)