Impact
The vulnerability is a code injection flaw that lets a low-privileged authenticated user with the ability to edit Content/DataResource objects inject arbitrary FreeMarker template code. Such injected code can be executed by the OFBiz application engine, providing the attacker with the ability to run system commands, exfiltrate data, or otherwise compromise the host. The flaw is a direct instance of improper code generation, which falls under the identified weakness category.
Affected Systems
Affected installations are those running Apache OFBiz earlier than version 24.09.07 from the Apache Software Foundation. Any deployment retaining those legacy releases and granting content or data‑resource editing rights to users who are not fully trusted falls within the risk window. The vendor lists all pre‑24.09.07 builds as vulnerable.
Risk and Exploitability
EPSS is < 1%, indicating a very low exploitation probability, and the CVSS score is 8.8, which reflects a high severity level. The vulnerability is not in the CISA KEV catalog, but the confirmed remote code execution capability means that any environment where a low‑privileged user can edit Content/DataResource objects is at risk. The threat model requires an authenticated user with moderate privileges; therefore, the exploit is relatively low in effort but high in impact. The best posture for the environment is to promptly remediate with the vendor’s patch to eliminate the code execution pathway.
OpenCVE Enrichment