VYPR
High severity8.8NVD Advisory· Published Aug 30, 2017· Updated Jun 17, 2026

CVE-2016-4462

CVE-2016-4462

Description

By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01

Affected products

20
  • Apache/Ofbiz20 versions
    cpe:2.3:a:apache:ofbiz:11.04:*:*:*:*:*:*:*+ 19 more
    • cpe:2.3:a:apache:ofbiz:11.04:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:11.04.01:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:11.04.02:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:11.04.03:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:11.04.04:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:11.04.05:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:11.04.06:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:12.04:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:12.04.01:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:12.04.02:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:12.04.03:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:12.04.04:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:12.04.05:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:12.04.06:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:13.07:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:13.07.01:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:13.07.02:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:13.07.03:*:*:*:*:*:*:*
    • (no CPE)range: before 16.11.01
    • (no CPE)range: 13.07.*

Patches

Vulnerability mechanics

News mentions

0

No linked articles in our index yet.