What is CVE-2022-25813?

CVE-2022-25813 is a vulnerability in Apache Software Foundation Ofbiz, classified under Improper Neutralization of Special Elements Used in a Template Engine. Published 2022-09-02.

Is CVE-2022-25813 known to be exploited?

7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Software Foundation Ofbiz

CVE-2022-25813

In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the…

EPSS: 0.543 (98.1th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Ofbiz — versions Apache OFBiz

Weakness classification (CWE)

CWE-1336 — Improper Neutralization of Special Elements Used in a Template Engine

Public proof-of-concept exploits

References

lists.apache.org/thread/vmj5s0qb59t0lvzf3vol3z1sc3sgyb2b (x_refsource_MISC)
[oss-security] 20220902 Apache OFBiz - Server-Side Template Injection (CVE-2022-25813) (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2022-25813?: CVE-2022-25813 is a vulnerability in Apache Software Foundation Ofbiz, classified under Improper Neutralization of Special Elements Used in a Template Engine. Published 2022-09-02.
Is CVE-2022-25813 known to be exploited?: 7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.