Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue.
History

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Tue, 19 Nov 2024 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache ofbiz
CPEs cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache ofbiz
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 18 Nov 2024 09:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue.
Title Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE)
Weaknesses CWE-1336
CWE-352
CWE-94
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N/R:U/V:C/RE:H/U:Amber'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-11-18T08:41:30.545Z

Updated: 2024-11-21T15:34:27.275Z

Reserved: 2024-10-10T06:25:35.776Z

Link: CVE-2024-48962

cve-icon Vulnrichment

Updated: 2024-11-18T09:03:47.896Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-18T09:15:06.237

Modified: 2024-11-21T16:15:26.007

Link: CVE-2024-48962

cve-icon Redhat

No data.