[CVE-2019-10073] Apache OFBiz XSS vulnerability in the "ecommerce" component

2019-09-10 Thread Jacopo Cappellato
Severity: Important Vendor: The Apache Software Foundation Versions Affected: OFBiz 16.11.01 to 16.11.05 Description: The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache OFBiz are weak to Stored XSS attacks. Mitigation: Upgrade to 16.11.06 or

[CVE-2018-17200] Apache OFBiz unauthenticated remote code execution vulnerability in HttpEngine

2019-09-10 Thread Jacopo Cappellato
Severity: Important Vendor: The Apache Software Foundation Versions Affected: OFBiz 16.11.01 to 16.11.05 Description: The OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. This service takes

[CVE-2019-0189] Apache OFBiz remote code execution and arbitrary file delete via Java deserialization

2019-09-10 Thread Jacopo Cappellato
Severity: Important Vendor: The Apache Software Foundation Versions Affected: OFBiz 16.11.01 to 16.11.05 Description: The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to

[CVE-2019-10074] Apache OFBiz RCE (template injection)

2019-09-10 Thread Jacopo Cappellato
Severity: Important Vendor: The Apache Software Foundation Versions Affected: OFBiz 16.11.01 to 16.11.05 An RCE is possible by entering Freemarker markup in an OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story"

[ANNOUNCE] Apache OFBiz 16.11.06 released

2019-09-10 Thread Jacopo Cappellato
The Apache OFBiz community is pleased to announce the new release "Apache OFBiz 16.11.06". Apache OFBiz® is an open source product for the automation of enterprise processes that includes framework components and business applications. http://ofbiz.apache.org/ "Apache OFBiz 16.11.06" is the

Re: OFBiz Community Days – August 2019

2019-09-10 Thread Swapnil M Mane
Thanks so much everyone who participated in the OFBiz community day. We had another good community day, the community worked on around 20 issues, more details can be found here [1]. Please refer to this document [2] for the responses of the survey. Our next community day is planned on *22nd** to

BillingAccount vs FinAccount usage scenarios

2019-09-10 Thread raja singh
As per the discussion http://ofbiz.135035.n4.nabble.com/Customer-returns-of-type-store-credit-and-BillingAccount-vs-FinAccount-td189402.html . Are the developers have planned to remove BillingAccount table, in future. As of 16 Version, Billing_Account table still used by ofbiz. Currently when