CVE-2019-10074 is a vulnerability in Apache OFBiz
Published on September 11, 2019

An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533

NVD

Products Associated with CVE-2019-10074

Want to know whenever a new CVE is published for Apache OFBiz? stack.watch will email you.

Apache OFBiz

Affected Versions

Apache OFBiz Version OFBiz 16.11.01 to 16.11.05 is affected by CVE-2019-10074

Exploit Probability

EPSS

2.06%

Percentile

83.64%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

CVE-2019-10074 is a vulnerability in Apache OFBizPublished on September 11, 2019

Products Associated with CVE-2019-10074

Affected Versions

Exploit Probability

CVE-2019-10074 is a vulnerability in Apache OFBiz
Published on September 11, 2019