I just want to bump this on the lists since that Douglas Cook idiot was causing a distraction.
It's very important that everyone with the OFBiz versions mentioned below (and trunk checkouts prior to r1500772) either upgrade or patch their installations as soon as possible. I cannot stress this enough, do it now. Regards Scott On 21/07/2013, at 4:03 AM, Jacopo Cappellato wrote: > CVE-2013-2250 - Apache OFBiz Nested expression evaluation allows remote users > to execute arbitrary UEL functions in OFBiz > > Vendor: > The Apache Software Foundation > > Versions Affected: > Apache OFBiz 10.04.01 to 10.04.05 > Apache OFBiz 11.04.01 to 11.04.02 > Apache OFBiz 12.04.01 > > Description: > > Parameter values are not correctly validated and if JUEL metacharacters are > included they are interpreted. > > Mitigation: > 10.04.x users should upgrade to 10.04.06 > 11.04.x users should upgrade to 11.04.03 > 12.04.01 users should upgrade to 12.04.02 > > Credit: > This issue was discovered by Grégory Draperi (gregory.drap...@gmail.com). > > References: > > http://ofbiz.apache.org/download.html#vulnerabilities
