Details
-
Sub-task
-
Status: Closed
-
Major
-
Resolution: Fixed
-
17.12.03
-
None
-
Bug Crush Event - 21/2/2015
Description
Alvaro Munoz <pwntester@github.com> from the GitHub Security Lab (securitylab@github.com) reported a Server-Side Template Injection that uses "Static" to the OFBiz security team, and we thank him for that.
I'll later quote here his email message when the vulnerability will be fixed. It's a post-auth vulnerability so we did not ask for a CVE.
Note: this vulnerabitly leads to Remote Code Execution (RCE)