{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T09:19:26.279","vulnerabilities":[{"cve":{"id":"CVE-2019-10074","sourceIdentifier":"security@apache.org","published":"2019-09-11T21:15:11.157","lastModified":"2024-11-21T04:18:20.730","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request \"story\" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533"},{"lang":"es","value":"Un RCE es posible mediante el ingreso del marcado de Freemarker en un campo textarea de Apache OFBiz Form Widget cuando la codificación ha sido deshabilitada en dicho campo. Este fue el caso para la entrada de \"story\" de Customer Request en la aplicación Order Manager. La codificación no debe ser deshabilitada sin una buena razón y nunca dentro de un campo que acepte entrada del usuario. Mitigación: actualice a la versión 16.11.06 o aplique manualmente la siguiente confirmación en la derivación 16.11: r1858533"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-74"},{"lang":"en","value":"CWE-116"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*","versionStartIncluding":"16.11.01","versionEndIncluding":"16.11.05","matchCriteriaId":"50D14E88-0092-41C5-84BB-C30AD300B2D4"}]}]}],"references":[{"url":"https://lists.apache.org/thread.html/a02aaa4c19dfd520807cf6b106b71aad0131a6543f7f60802ae71ec2%40%3Cnotifications.ofbiz.apache.org%3E","source":"security@apache.org"},{"url":"https://s.apache.org/r49vw","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"https://lists.apache.org/thread.html/a02aaa4c19dfd520807cf6b106b71aad0131a6543f7f60802ae71ec2%40%3Cnotifications.ofbiz.apache.org%3E","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://s.apache.org/r49vw","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Vendor Advisory"]}]}}]}