Details
-
Sub-task
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
Trunk
-
None
-
Bug Crush Event - 21/2/2015
Description
I found that the latest version of the OFBiz framework was affected by an XMLRPC Remote Code Execution Vulnerability.
This vulnerability is caused by incomplete patch repair of cve-2020-9496.
Successful exploit:
Please refer to the attachment for payload details.This HTTP request will execute the command `touch /tmp/success` file on the attacked server.
Attachments
Attachments
Issue Links
- is related to
-
OFBIZ-11716 Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496)
- Closed