CVE-2022-25813

CVE-2022-25813: Server-Side Template Injection affecting the ecommerce plugin of Apache OFBiz

Vendor Apache Software Foundation

Product Apache OFBiz

Weakness CWE-1336

Published September 2, 2022

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible.

Key dates

Disclosure timeline

September 2, 2022 CVE published

August 3, 2024 Record updated