Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.
http://www.securitytracker.com/id/1035513
http://www.securityfocus.com/archive/1/538034/100/0/threaded