Apache OFBiz 18.12.05 or earlier: RCE via SSTI in Contact Us plugin
CVE-2022-25813 Published on September 2, 2022

Server-Side Template Injection affecting the ecommerce plugin of Apache OFBiz
In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message Subject field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible.

NVD

Weakness Type

CWE-1336

Products Associated with CVE-2022-25813

Want to know whenever a new CVE is published for Apache OFBiz? stack.watch will email you.

Apache OFBiz

Affected Versions

Apache Software Foundation Apache OFBiz:

Version Apache OFBiz, <= 18.12.05 is affected.

Exploit Probability

EPSS

57.51%

Percentile

98.11%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Apache OFBiz 18.12.05 or earlier: RCE via SSTI in Contact Us pluginCVE-2022-25813 Published on September 2, 2022

Weakness Type

Products Associated with CVE-2022-25813

Affected Versions

Exploit Probability

Apache OFBiz 18.12.05 or earlier: RCE via SSTI in Contact Us plugin
CVE-2022-25813 Published on September 2, 2022