Apache OfBiz is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE)
Untrusted data flows from
request.getParameter("_LAST_VIEW_NAME_") to a FreeMarker macro call definition. An attacker with privileges to render any page containing a lookup field will be able to execute arbitrary system commands by sending a payload such as:
Note that lookup fields are used in multiple modules of the backend application and they require different permissions.
This issue leads to
Remote Code Execution
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
You can contact the GHSL team at
firstname.lastname@example.org, please include the
GHSL-2020-067 in any communication regarding this issue.