VYPR
Get started
← All advisories
High severity8.8NVD Advisory· Published Aug 30, 2017· Updated May 13, 2026

CVE-2016-4462

CVE-2016-4462

Description

By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01

Affected products

19
  • Apache/Ofbiz18 versions
    cpe:2.3:a:apache:ofbiz:11.04:*:*:*:*:*:*:*+ 17 more
    • cpe:2.3:a:apache:ofbiz:11.04:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:11.04.01:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:11.04.02:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:11.04.03:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:11.04.04:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:11.04.05:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:11.04.06:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:12.04:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:12.04.01:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:12.04.02:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:12.04.03:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:12.04.04:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:12.04.05:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:12.04.06:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:13.07:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:13.07.01:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:13.07.02:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ofbiz:13.07.03:*:*:*:*:*:*:*
  • Apache Software Foundation/Apache OFBizv5
    Range: 13.07.*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

News mentions

0

No linked articles in our index yet.