1. Home
  2. CVE Database
  3. CVE-2019-10074
CRITICAL · 9.8

CVE-2019-10074

An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input...

Vulnerability Description

An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
ApacheOfbiz>= 16.11.01, <= 16.11.05

Related Weaknesses (CWE)

CWE-74CWE-116

References

FAQ

What is CVE-2019-10074?

CVE-2019-10074 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input...

How severe is CVE-2019-10074?

CVE-2019-10074 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-10074?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Ofbiz.