CVE-2016-4462
 
Severity Score
8.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01
Manipulando el parámetro de URL externalLoginKey, un usuario conectado malicioso podría pasar directivas Freemarker válidas que están reflejadas en la página web al motor de plantillas. Se podría utilizar utilizar una plantilla Freemarker especialmente manipulada para ejecutar código remotamente. Mitigación: Actualizar a Apache OFBiz 16.11.01.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2016-05-02 CVE Reserved
- 2017-08-30 CVE Published
- 2024-02-08 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (1)
URL | Tag | Source |
---|---|---|
http://git.net/ml/dev.ofbiz.apache.org/2016-11/msg00180.html | Mailing List |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | 11.04 Search vendor "Apache" for product "Ofbiz" and version "11.04" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | 11.04.01 Search vendor "Apache" for product "Ofbiz" and version "11.04.01" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | 11.04.02 Search vendor "Apache" for product "Ofbiz" and version "11.04.02" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | 11.04.03 Search vendor "Apache" for product "Ofbiz" and version "11.04.03" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | 11.04.04 Search vendor "Apache" for product "Ofbiz" and version "11.04.04" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | 11.04.05 Search vendor "Apache" for product "Ofbiz" and version "11.04.05" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | 11.04.06 Search vendor "Apache" for product "Ofbiz" and version "11.04.06" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | 12.04 Search vendor "Apache" for product "Ofbiz" and version "12.04" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | 12.04.01 Search vendor "Apache" for product "Ofbiz" and version "12.04.01" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | 12.04.02 Search vendor "Apache" for product "Ofbiz" and version "12.04.02" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | 12.04.03 Search vendor "Apache" for product "Ofbiz" and version "12.04.03" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | 12.04.04 Search vendor "Apache" for product "Ofbiz" and version "12.04.04" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | 12.04.05 Search vendor "Apache" for product "Ofbiz" and version "12.04.05" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | 12.04.06 Search vendor "Apache" for product "Ofbiz" and version "12.04.06" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | 13.07 Search vendor "Apache" for product "Ofbiz" and version "13.07" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | 13.07.01 Search vendor "Apache" for product "Ofbiz" and version "13.07.01" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | 13.07.02 Search vendor "Apache" for product "Ofbiz" and version "13.07.02" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Ofbiz Search vendor "Apache" for product "Ofbiz" | 13.07.03 Search vendor "Apache" for product "Ofbiz" and version "13.07.03" | - |
Affected
|