By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01
[
{
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "13.07.*"
},
{
"status": "affected",
"version": "12.04.*"
},
{
"status": "affected",
"version": "11.04.*"
}
]
}
]