{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-48962","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2024-10-10T06:25:35.776Z","datePublished":"2024-11-18T08:41:30.545Z","dateUpdated":"2026-05-04T14:55:28.249Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Apache OFBiz","vendor":"Apache Software Foundation","versions":[{"lessThan":"18.12.17","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Sebastiano Sartor <s@sebsrt.xyz>"},{"lang":"en","type":"finder","value":"Ryan Chan <https://www.linkedin.com/in/ryanchan07/>"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.</p><p>This issue affects Apache OFBiz: before 18.12.17.</p><p>Users are recommended to upgrade to version 18.12.17, which fixes the issue.</p>"}],"value":"Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.17.\n\nUsers are recommended to upgrade to version 18.12.17, which fixes the issue."}],"metrics":[{"cvssV4_0":{"Automatable":"NO","Recovery":"USER","Safety":"NOT_DEFINED","attackComplexity":"HIGH","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":8.9,"baseSeverity":"HIGH","privilegesRequired":"NONE","providerUrgency":"AMBER","subAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","userInteraction":"ACTIVE","valueDensity":"CONCENTRATED","vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N/R:U/V:C/RE:H/U:Amber","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"HIGH"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-94","description":"CWE-94 Improper Control of Generation of Code ('Code Injection')","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-352","description":"CWE-352 Cross-Site Request Forgery (CSRF)","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-1336","description":"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2026-05-04T14:55:28.249Z"},"references":[{"tags":["mitigation","release-notes","product"],"url":"https://ofbiz.apache.org/download.html"},{"tags":["patch"],"url":"https://ofbiz.apache.org/security.html"},{"tags":["issue-tracking"],"url":"https://issues.apache.org/jira/browse/OFBIZ-13162"},{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/6sddh4pts90cp8ktshqb4xykdp6lb6q6"}],"source":{"discovery":"EXTERNAL"},"title":"Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE)","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2024/11/16/2"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-11-18T09:03:47.896Z"}},{"affected":[{"vendor":"apache","product":"ofbiz","cpes":["cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","versions":[{"version":"0","status":"affected","lessThan":"18.12.17","versionType":"semver"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-11-19T15:43:23.785657Z","id":"CVE-2024-48962","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-11-21T15:34:27.275Z"}}]}}