CVE-2024-48962

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)

Published: Nov 18, 2024 / Updated: 1d ago

010
CVSS 8.9EPSS 0.05%High
CVE info copied to clipboard

Summary

Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), and Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz versions before 18.12.17.

Impact

This vulnerability has a high severity with a CVSS v4 base score of 8.9. It potentially allows attackers to execute arbitrary code, perform cross-site request forgery attacks, and exploit template engine vulnerabilities. The impact on vulnerable systems is high for confidentiality, integrity, and availability. Moreover, the subsequent system impact is also high for confidentiality, integrity, and availability, indicating potential for significant damage beyond the initial compromise.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Users are recommended to upgrade to Apache OFBiz version 18.12.17, which fixes the issue.

Mitigation

The primary mitigation is to upgrade to Apache OFBiz version 18.12.17. If immediate upgrading is not possible, consider implementing additional security controls such as web application firewalls, input validation, and output encoding to minimize the risk of exploitation. Regularly monitor for any suspicious activities and implement strong authentication mechanisms to prevent unauthorized access.

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Amber

Timeline

First Article

Feedly found the first article mentioning CVE-2024-48962. See article

Nov 16, 2024 at 2:17 PM / Open Source Security
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 16, 2024 at 2:18 PM
CVE Assignment

NVD published the first details for CVE-2024-48962

Nov 18, 2024 at 9:15 AM
CVSS

A CVSS base score of 8.9 has been assigned.

Nov 18, 2024 at 9:20 AM / nvd
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (731916)

Nov 19, 2024 at 7:53 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (152420)

Nov 19, 2024 at 7:53 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 17%)

Nov 19, 2024 at 10:15 AM
CVSS

A CVSS base score of 7.5 has been assigned.

Nov 19, 2024 at 4:40 PM / nvd
Static CVE Timeline Graph

Affected Systems

Apache/ofbiz
+null more

Attack Patterns

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
+null more

News

CVE-2024-47208 & CVE-2024-48962: Apache OFBiz Exposed to Remote Code Execution
The Apache Software Foundation has released important security updates to address two critical vulnerabilities in Apache OFBiz, a popular open-source suite of business applications. These vulnerabilities, identified as CVE-2024-47208 and CVE-2024-48962, could allow attackers to execute arbitrary code on vulnerable systems, potentially compromising sensitive data and business operations.
NA - CVE-2024-48962 - Improper Control of Generation of Code...
Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in...
CVE-2024-48962 - Apache OFBiz Code Injection and CSRF Vulnerability
CVE ID : CVE-2024-48962 Published : Nov. 18, 2024, 9:15 a.m. 53 minutes ago Description : Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17.
CVE-2024-48962
Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the...
CVE-2024-48962
Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue.
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:High
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI