CVE-2022-25813— Server-Side Template Injection affecting the ecommerce plugin of Apache OFBiz

EPSS 60.35% · P98 Updated Feb 25, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2022-25813

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Server-Side Template Injection affecting the ecommerce plugin of Apache OFBiz

Source: NVD (National Vulnerability Database)

Vulnerability Description

In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

CWE-1336

Source: NVD (National Vulnerability Database)

Vulnerability Title

Apache OFBiz 代码注入漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Apache OFBiz是美国阿帕奇（Apache）基金会的一套企业资源计划（ERP）系统。该系统提供了一整套基于Java的Web应用程序组件和工具。 Apache OFBiz 18.12.05及之前版本存在安全漏洞，攻击者利用该漏洞可以在“Contact us”页面“Subject”字段中插入恶意内容，然后可以进行 RCE。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Apache Software Foundation	Apache OFBiz	Apache OFBiz ~ 18.12.05	-

II. Public POCs for CVE-2022-25813

#	POC Description	Source Link	Shenlong Link
1	CVE-2022-25813: FreeMarker Server-Side Template Injection in Apache OfBiz	https://github.com/mbadanoiu/CVE-2022-25813	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2022-25813

请登录查看更多情报信息。

https://lists.apache.org/thread/vmj5s0qb59t0lvzf3vol3z1sc3sgyb2bx_refsource_MISC
http://www.openwall.com/lists/oss-security/2022/09/02/4mailing-listx_refsource_MLIST
https://nvd.nist.gov/vuln/detail/CVE-2022-25813

Same Patch Batch · Apache Software Foundation · 2022-09-02 · 7 CVEs total

CVE-2022-38054		Session Fixation
CVE-2022-38170		Overly permissive umask for daemons
CVE-2022-29158		Regular Expression Denial of Service (ReDoS) vulnerability in Apache OFBiz
CVE-2022-29063		Java Deserialization via RMI Connection from the Solr plugin of Apache OFBiz
CVE-2022-25371		Unauth Path Traversal with file corruption affecting the Birt plugin of Apache OFBiz
CVE-2022-25370		Unauth Stored XSS vulnerability in the Birt plugin of Apache OFBiz

IV. Related Vulnerabilities

Same product: Apache OFBiz

Same vendor: Apache Software Foundation

Same weakness: CWE-1336

V. Comments for CVE-2022-25813

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2022-25813— Server-Side Template Injection affecting the ecommerce plugin of Apache OFBiz

I. Basic Information for CVE-2022-25813

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2022-25813

III. Intelligence Information for CVE-2022-25813

Same Patch Batch · Apache Software Foundation · 2022-09-02 · 7 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2022-25813

Leave a comment