Apache OFBiz - Server-Side Template Injection (CVE-2022-25813)

[Jacques Le Roux <jleroux () apache org>]

Severity:
High (SSTI then possible RCE)

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz versions prior to 18.12.06

Description:
As an ecommerce anonymous client, an external attacker can insert a malicious
content in a message “Subject” field from the "Contact us" page. Then a party
manager needs to list the communications in the party component to activate
the SSTI. A RCE is then possible.

Mitigation:
Upgrade to at least 18.12.06
or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12594

Credit:
Matei "Mal" Badanoiu

References:
http://ofbiz.apache.org/download.html#vulnerabilities