Vendor: The Apache Software Foundation Versions Affected: OFBiz 13.07.* OFBiz 12.04.* OFBiz 11.04.*
Description: By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to 16.11.01 Credit: Rick Radewagen, ERNW GmbH References: http://ofbiz.apache.org/download.html#vulnerabilities