Search criteria
171 vulnerabilities found for ofbiz by apache
FKIE_CVE-2025-59118
Vulnerability from fkie_nvd - Published: 2025-11-12 10:15 - Updated: 2025-11-13 15:04
Severity ?
Summary
Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.03.
Users are recommended to upgrade to version 24.09.03, which fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://issues.apache.org/jira/browse/OFBIZ-13292 | Issue Tracking | |
| security@apache.org | https://lists.apache.org/thread/202263kpy7g76pzsy1fm96h9lcmhsqpt | Mailing List, Vendor Advisory | |
| security@apache.org | https://ofbiz.apache.org/download.html | Product | |
| security@apache.org | https://ofbiz.apache.org/release-notes-24.09.03.html | Release Notes | |
| security@apache.org | https://ofbiz.apache.org/security.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/11/11/1 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0FD636F-C69E-4284-95A0-0CD8A5DEB08F",
"versionEndExcluding": "24.09.03",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 24.09.03.\n\nUsers are recommended to upgrade to version 24.09.03, which fixes the issue."
}
],
"id": "CVE-2025-59118",
"lastModified": "2025-11-13T15:04:59.130",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-11-12T10:15:43.703",
"references": [
{
"source": "security@apache.org",
"tags": [
"Issue Tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13292"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/202263kpy7g76pzsy1fm96h9lcmhsqpt"
},
{
"source": "security@apache.org",
"tags": [
"Product"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"source": "security@apache.org",
"tags": [
"Release Notes"
],
"url": "https://ofbiz.apache.org/release-notes-24.09.03.html"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/11/11/1"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-61623
Vulnerability from fkie_nvd - Published: 2025-11-12 10:15 - Updated: 2025-11-13 15:04
Severity ?
Summary
Reflected cross-site scripting vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.03.
Users are recommended to upgrade to version 24.09.03, which fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://issues.apache.org/jira/browse/OFBIZ-13295 | Issue Tracking | |
| security@apache.org | https://lists.apache.org/thread/sb2mngrg766qbqt5g29fo0qblk3v4x5y | Mailing List, Vendor Advisory | |
| security@apache.org | https://ofbiz.apache.org/download.html | Product | |
| security@apache.org | https://ofbiz.apache.org/release-notes-24.09.03.html | Release Notes | |
| security@apache.org | https://ofbiz.apache.org/security.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/11/11/2 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0FD636F-C69E-4284-95A0-0CD8A5DEB08F",
"versionEndExcluding": "24.09.03",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Reflected cross-site scripting vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 24.09.03.\n\nUsers are recommended to upgrade to version 24.09.03, which fixes the issue."
}
],
"id": "CVE-2025-61623",
"lastModified": "2025-11-13T15:04:42.673",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-11-12T10:15:43.903",
"references": [
{
"source": "security@apache.org",
"tags": [
"Issue Tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13295"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/sb2mngrg766qbqt5g29fo0qblk3v4x5y"
},
{
"source": "security@apache.org",
"tags": [
"Product"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"source": "security@apache.org",
"tags": [
"Release Notes"
],
"url": "https://ofbiz.apache.org/release-notes-24.09.03.html"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/11/11/2"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-54466
Vulnerability from fkie_nvd - Published: 2025-08-15 15:15 - Updated: 2025-11-04 22:16
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Summary
Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.
This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used.
Even unauthenticated attackers can exploit this vulnerability.
Users are recommended to upgrade to version 24.09.02, which fixes the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F57B463E-E4F4-4AF1-9661-F139A6C41869",
"versionEndExcluding": "24.09.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability leading to a possible RCE in Apache OFBiz\u00a0scrum plugin.\n\nThis issue affects Apache OFBiz: before 24.09.02 only when the\u00a0scrum plugin is used.\n\nEven unauthenticated attackers can exploit this vulnerability.\n\n\nUsers are recommended to upgrade to version 24.09.02, which fixes the issue."
},
{
"lang": "es",
"value": "Vulnerabilidad de control inadecuado de generaci\u00f3n de c\u00f3digo (\u0027Inyecci\u00f3n de c\u00f3digo\u0027) que puede provocar una RCE en el complemento Scrum de Apache OFBiz. Este problema afecta a Apache OFBiz: versiones anteriores al 24.09.02 \u00fanicamente cuando se utiliza el complemento Scrum. Incluso atacantes no autenticados pueden explotar esta vulnerabilidad. Se recomienda actualizar a la versi\u00f3n 24.09.02, que soluciona el problema."
}
],
"id": "CVE-2025-54466",
"lastModified": "2025-11-04T22:16:28.177",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-08-15T15:15:32.360",
"references": [
{
"source": "security@apache.org",
"tags": [
"Patch"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13276"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread/14d0yd9co9gx2mctd3vyz1cc8d39n915"
},
{
"source": "security@apache.org",
"tags": [
"Product"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"source": "security@apache.org",
"tags": [
"Release Notes"
],
"url": "https://ofbiz.apache.org/release-notes-24.09.02.html"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/08/05/1"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-30676
Vulnerability from fkie_nvd - Published: 2025-04-01 15:16 - Updated: 2025-04-29 20:52
Severity ?
Summary
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.19.
Users are recommended to upgrade to version 18.12.19, which fixes the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*",
"matchCriteriaId": "72B590D0-2F1C-420C-BF24-B84D53838488",
"versionEndExcluding": "18.12.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.19.\n\nUsers are recommended to upgrade to version 18.12.19, which fixes the issue."
},
{
"lang": "es",
"value": "Vulnerabilidad de neutralizaci\u00f3n incorrecta de etiquetas HTML relacionadas con scripts en una p\u00e1gina web (XSS b\u00e1sico) en Apache OFBiz. Este problema afecta a Apache OFBiz: versiones anteriores a la 18.12.19. Se recomienda actualizar a la versi\u00f3n 18.12.19, que soluciona el problema."
}
],
"id": "CVE-2025-30676",
"lastModified": "2025-04-29T20:52:31.980",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-04-01T15:16:07.310",
"references": [
{
"source": "security@apache.org",
"tags": [
"Patch",
"Issue Tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13219"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/8d718qt8dqthnw1gmyxsq8glfdjklnjf"
},
{
"source": "security@apache.org",
"tags": [
"Product"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2025/04/01/5"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-26865
Vulnerability from fkie_nvd - Published: 2025-03-10 14:15 - Updated: 2025-06-23 18:37
Severity ?
Summary
Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: from 18.12.17 before 18.12.18.
It's a regression between 18.12.17 and 18.12.18.
In case you use something like that, which is not recommended!
For security, only official releases should be used.
In other words, if you use 18.12.17 you are still safe.
The version 18.12.17 is not a affected.
But something between 18.12.17 and 18.12.18 is.
In that case, users are recommended to upgrade to version 18.12.18, which fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://issues.apache.org/jira/browse/OFBIZ-12594 | Issue Tracking, Patch | |
| security@apache.org | https://lists.apache.org/thread/prb48ztk01bflyyjbl6p56wlcc1n5sz7 | Mailing List, Vendor Advisory | |
| security@apache.org | https://ofbiz.apache.org/download.html | Product | |
| security@apache.org | https://ofbiz.apache.org/security.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/03/07/1 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ofbiz:18.12.17:*:*:*:*:*:*:*",
"matchCriteriaId": "C07CBDF9-F52E-4C71-BDA4-F431FE8F24F0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: from 18.12.17 before 18.12.18.\u00a0\u00a0\n\nIt\u0027s a regression between 18.12.17 and 18.12.18.\nIn case you use something like that, which is not recommended!\nFor security, only official releases should be used.\n\nIn other words, if you use 18.12.17 you are still safe.\nThe version 18.12.17 is not a affected.\nBut something between 18.12.17 and 18.12.18 is.\n\nIn that case, users are recommended to upgrade to version 18.12.18, which fixes the issue."
},
{
"lang": "es",
"value": "Vulnerabilidad de neutralizaci\u00f3n inadecuada de elementos especiales utilizados en un motor de plantillas en Apache OFBiz. Este problema afecta a Apache OFBiz: desde la versi\u00f3n 18.12.17 hasta la 18.12.18. Es una regresi\u00f3n entre la 18.12.17 y la 18.12.18. En caso de que utilices algo as\u00ed, \u00a1lo cual no se recomienda! Por seguridad, solo se deben utilizar las versiones oficiales. En otras palabras, si utilizas la 18.12.17, a\u00fan est\u00e1s a salvo. La versi\u00f3n 18.12.17 no est\u00e1 afectada. Pero algo entre la 18.12.17 y la 18.12.18 s\u00ed lo est\u00e1. En ese caso, se recomienda a los usuarios que actualicen a la versi\u00f3n 18.12.18, que soluciona el problema."
}
],
"id": "CVE-2025-26865",
"lastModified": "2025-06-23T18:37:09.027",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 2.5,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-03-10T14:15:25.220",
"references": [
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-12594"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/prb48ztk01bflyyjbl6p56wlcc1n5sz7"
},
{
"source": "security@apache.org",
"tags": [
"Product"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/03/07/1"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1336"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-47208
Vulnerability from fkie_nvd - Published: 2024-11-18 09:15 - Updated: 2025-06-24 16:20
Severity ?
Summary
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.17.
Users are recommended to upgrade to version 18.12.17, which fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://issues.apache.org/jira/browse/OFBIZ-13158 | Issue Tracking | |
| security@apache.org | https://lists.apache.org/thread/022r19skfofhv3lzql33vowlrvqndh11 | Mailing List, Vendor Advisory | |
| security@apache.org | https://ofbiz.apache.org/download.html | Product | |
| security@apache.org | https://ofbiz.apache.org/security.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/11/16/3 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF81B80E-CCE3-40EF-B109-07D2A061D53E",
"versionEndExcluding": "18.12.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF), Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.17.\n\nUsers are recommended to upgrade to version 18.12.17, which fixes the issue."
},
{
"lang": "es",
"value": "Vulnerabilidad de falsificaci\u00f3n de solicitud del lado del servidor (SSRF) y control inadecuado de la generaci\u00f3n de c\u00f3digo (\u0027inyecci\u00f3n de c\u00f3digo\u0027) en Apache OFBiz. Este problema afecta a Apache OFBiz: anterior a la versi\u00f3n 18.12.17. Se recomienda a los usuarios que actualicen a la versi\u00f3n 18.12.17, que soluciona el problema."
}
],
"id": "CVE-2024-47208",
"lastModified": "2025-06-24T16:20:57.757",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-11-18T09:15:06.100",
"references": [
{
"source": "security@apache.org",
"tags": [
"Issue Tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13158"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/022r19skfofhv3lzql33vowlrvqndh11"
},
{
"source": "security@apache.org",
"tags": [
"Product"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/11/16/3"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
},
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-48962
Vulnerability from fkie_nvd - Published: 2024-11-18 09:15 - Updated: 2025-02-11 16:16
Severity ?
Summary
Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.17.
Users are recommended to upgrade to version 18.12.17, which fixes the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF81B80E-CCE3-40EF-B109-07D2A061D53E",
"versionEndExcluding": "18.12.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.17.\n\nUsers are recommended to upgrade to version 18.12.17, which fixes the issue."
},
{
"lang": "es",
"value": "Control inadecuado de la generaci\u00f3n de c\u00f3digo (\"Inyecci\u00f3n de c\u00f3digo\"), Cross-Site Request Forgery (CSRF), : Neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de motor de plantillas en Apache OFBiz. Este problema afecta a Apache OFBiz: anterior a la versi\u00f3n 18.12.17. Se recomienda a los usuarios que actualicen a la versi\u00f3n 18.12.17, que soluciona el problema."
}
],
"id": "CVE-2024-48962",
"lastModified": "2025-02-11T16:16:41.330",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "HIGH"
},
"source": "security@apache.org",
"type": "Secondary"
}
]
},
"published": "2024-11-18T09:15:06.237",
"references": [
{
"source": "security@apache.org",
"tags": [
"Issue Tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13162"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/6sddh4pts90cp8ktshqb4xykdp6lb6q6"
},
{
"source": "security@apache.org",
"tags": [
"Product"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/11/16/2"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
},
{
"lang": "en",
"value": "CWE-352"
},
{
"lang": "en",
"value": "CWE-1336"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
},
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-45507
Vulnerability from fkie_nvd - Published: 2024-09-04 09:15 - Updated: 2024-11-21 09:37
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.16.
Users are recommended to upgrade to version 18.12.16, which fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://issues.apache.org/jira/browse/OFBIZ-13132 | Issue Tracking, Patch, Vendor Advisory | |
| security@apache.org | https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy | Mailing List | |
| security@apache.org | https://ofbiz.apache.org/download.html | Product | |
| security@apache.org | https://ofbiz.apache.org/security.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/09/03/7 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*",
"matchCriteriaId": "51868E3D-516B-4DF1-8889-161D53E47ACE",
"versionEndExcluding": "18.12.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF), Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.16.\n\nUsers are recommended to upgrade to version 18.12.16, which fixes the issue."
},
{
"lang": "es",
"value": "Vulnerabilidad de Server-Side Request Forgery (SSRF) y control inadecuado de la generaci\u00f3n de c\u00f3digo (\u0027inyecci\u00f3n de c\u00f3digo\u0027) en Apache OFBiz. Este problema afecta a Apache OFBiz: anterior a la versi\u00f3n 18.12.16. Se recomienda a los usuarios que actualicen a la versi\u00f3n 18.12.16, que soluciona el problema."
}
],
"id": "CVE-2024-45507",
"lastModified": "2024-11-21T09:37:52.333",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-09-04T09:15:04.520",
"references": [
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13132"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy"
},
{
"source": "security@apache.org",
"tags": [
"Product"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2024/09/03/7"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
},
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
FKIE_CVE-2024-45195
Vulnerability from fkie_nvd - Published: 2024-09-04 09:15 - Updated: 2025-10-23 14:49
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Direct Request ('Forced Browsing') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.16.
Users are recommended to upgrade to version 18.12.16, which fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://issues.apache.org/jira/browse/OFBIZ-13130 | Issue Tracking, Vendor Advisory | |
| security@apache.org | https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy | Vendor Advisory | |
| security@apache.org | https://ofbiz.apache.org/download.html | Product | |
| security@apache.org | https://ofbiz.apache.org/security.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/09/03/6 | Mailing List | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45195 | Third Party Advisory, US Government Resource |
{
"cisaActionDue": "2025-02-25",
"cisaExploitAdd": "2025-02-04",
"cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "Apache OFBiz Forced Browsing Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*",
"matchCriteriaId": "51868E3D-516B-4DF1-8889-161D53E47ACE",
"versionEndExcluding": "18.12.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Direct Request (\u0027Forced Browsing\u0027) vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.16.\n\nUsers are recommended to upgrade to version 18.12.16, which fixes the issue."
},
{
"lang": "es",
"value": "Vulnerabilidad Direct Request (\"Navegaci\u00f3n forzada\") en Apache OFBiz. Este problema afecta a Apache OFBiz: anterior a la versi\u00f3n 18.12.16. Se recomienda a los usuarios que actualicen a la versi\u00f3n 18.12.16, que soluciona el problema."
}
],
"id": "CVE-2024-45195",
"lastModified": "2025-10-23T14:49:13.317",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-09-04T09:15:04.397",
"references": [
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13130"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy"
},
{
"source": "security@apache.org",
"tags": [
"Product"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/09/03/6"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45195"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-425"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-38856
Vulnerability from fkie_nvd - Published: 2024-08-05 09:15 - Updated: 2025-10-23 14:49
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
Incorrect Authorization vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: through 18.12.14.
Users are recommended to upgrade to version 18.12.15, which fixes the issue.
Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://issues.apache.org/jira/browse/OFBIZ-13128 | Issue Tracking | |
| security@apache.org | https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w | Mailing List, Vendor Advisory | |
| security@apache.org | https://ofbiz.apache.org/download.html | Product | |
| security@apache.org | https://ofbiz.apache.org/security.html | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/08/04/1 | Mailing List | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38856 | Third Party Advisory, US Government Resource |
{
"cisaActionDue": "2024-09-17",
"cisaExploitAdd": "2024-08-27",
"cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "Apache OFBiz Incorrect Authorization Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9121C1DF-B4B5-4292-B6D6-A85D855E2B15",
"versionEndExcluding": "18.12.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect Authorization vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: through 18.12.14.\n\nUsers are recommended to upgrade to version 18.12.15, which fixes the issue.\n\nUnauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don\u0027t explicitly check user\u0027s permissions because they rely on the configuration of their endpoints)."
},
{
"lang": "es",
"value": "Vulnerabilidad de autorizaci\u00f3n incorrecta en Apache OFBiz. Este problema afecta a Apache OFBiz: hasta la versi\u00f3n 18.12.14. Se recomienda a los usuarios que actualicen a la versi\u00f3n 18.12.15, que soluciona el problema. Los puntos finales no autenticados podr\u00edan permitir la ejecuci\u00f3n del c\u00f3digo de representaci\u00f3n de pantallas si se cumplen algunas condiciones previas (por ejemplo, cuando las definiciones de pantalla no comprueban expl\u00edcitamente los permisos del usuario porque dependen de la configuraci\u00f3n de sus endpoints)."
}
],
"id": "CVE-2024-38856",
"lastModified": "2025-10-23T14:49:04.117",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-08-05T09:15:56.780",
"references": [
{
"source": "security@apache.org",
"tags": [
"Issue Tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13128"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w"
},
{
"source": "security@apache.org",
"tags": [
"Product"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"source": "security@apache.org",
"tags": [
"Patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/08/04/1"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38856"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
CVE-2025-61623 (GCVE-0-2025-61623)
Vulnerability from cvelistv5 – Published: 2025-11-12 09:16 – Updated: 2025-11-12 14:29
VLAI?
Summary
Reflected cross-site scripting vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.03.
Users are recommended to upgrade to version 24.09.03, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
0 , < 24.09.03
(semver)
|
Credits
RedHive Team (security@hive.red) https://hive.red/en/
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-12T10:06:02.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/11/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-61623",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:29:21.144167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T14:29:43.400Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "24.09.03",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "RedHive Team (security@hive.red) https://hive.red/en/"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eReflected cross-site scripting vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 24.09.03.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 24.09.03, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Reflected cross-site scripting vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 24.09.03.\n\nUsers are recommended to upgrade to version 24.09.03, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T09:16:58.139Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13295"
},
{
"tags": [
"mitigation"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"release-notes"
],
"url": "https://ofbiz.apache.org/release-notes-24.09.03.html"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/sb2mngrg766qbqt5g29fo0qblk3v4x5y"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Reflected Cross-site Scripting",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-61623",
"datePublished": "2025-11-12T09:16:58.139Z",
"dateReserved": "2025-09-29T07:04:49.932Z",
"dateUpdated": "2025-11-12T14:29:43.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59118 (GCVE-0-2025-59118)
Vulnerability from cvelistv5 – Published: 2025-11-12 09:15 – Updated: 2025-11-12 14:31
VLAI?
Summary
Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.03.
Users are recommended to upgrade to version 24.09.03, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
0 , < 24.09.03
(custom)
|
Credits
RedHive Team (security@hive.red) https://hive.red/en/
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-12T10:06:00.568Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/11/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-59118",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:31:40.016692Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T14:31:48.367Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "24.09.03",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "RedHive Team (security@hive.red) https://hive.red/en/"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUnrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 24.09.03.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 24.09.03, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 24.09.03.\n\nUsers are recommended to upgrade to version 24.09.03, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T09:15:54.263Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"release-notes"
],
"url": "https://ofbiz.apache.org/release-notes-24.09.03.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13292"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/202263kpy7g76pzsy1fm96h9lcmhsqpt"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Critical Remote Command Execution via Unrestricted File Upload",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-59118",
"datePublished": "2025-11-12T09:15:54.263Z",
"dateReserved": "2025-09-09T09:57:31.247Z",
"dateUpdated": "2025-11-12T14:31:48.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54466 (GCVE-0-2025-54466)
Vulnerability from cvelistv5 – Published: 2025-08-15 14:13 – Updated: 2025-11-04 21:12
VLAI?
Summary
Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.
This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used.
Even unauthenticated attackers can exploit this vulnerability.
Users are recommended to upgrade to version 24.09.02, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
0 , < 24.09.02
(custom)
|
Credits
Teeramet Eakwilai <teeramet@datafarm.co.th>
Thanasin Luangpipat
Jarukit Auikritskul
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-54466",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-18T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-19T03:55:29.855Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:12:47.762Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/05/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "24.09.02",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Teeramet Eakwilai \u003cteeramet@datafarm.co.th\u003e"
},
{
"lang": "en",
"type": "finder",
"value": "Thanasin Luangpipat"
},
{
"lang": "en",
"type": "finder",
"value": "Jarukit Auikritskul"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability leading to a possible RCE in Apache OFBiz\u0026nbsp;scrum plugin.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache OFBiz: before 24.09.02 only when the\u0026nbsp;scrum plugin is used.\u003c/p\u003e\u003cp\u003eEven unauthenticated attackers can exploit this vulnerability.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 24.09.02, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability leading to a possible RCE in Apache OFBiz\u00a0scrum plugin.\n\nThis issue affects Apache OFBiz: before 24.09.02 only when the\u00a0scrum plugin is used.\n\nEven unauthenticated attackers can exploit this vulnerability.\n\n\nUsers are recommended to upgrade to version 24.09.02, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T14:13:52.584Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"related"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"release-notes"
],
"url": "https://ofbiz.apache.org/release-notes-24.09.02.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13276"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/14d0yd9co9gx2mctd3vyz1cc8d39n915"
}
],
"source": {
"defect": [
"OFBIZ-13276"
],
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: RCE Vulnerability in scrum plugin",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-54466",
"datePublished": "2025-08-15T14:13:52.584Z",
"dateReserved": "2025-07-23T08:08:20.796Z",
"dateUpdated": "2025-11-04T21:12:47.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30676 (GCVE-0-2025-30676)
Vulnerability from cvelistv5 – Published: 2025-04-01 14:43 – Updated: 2025-04-02 22:03
VLAI?
Summary
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.19.
Users are recommended to upgrade to version 18.12.19, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
0 , < 18.12.19
(semver)
|
Credits
Khaled Nassar (@mindpatch)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-30676",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T19:18:34.226471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T19:19:46.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-04-02T22:03:27.945Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/01/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "18.12.19",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khaled Nassar (@mindpatch)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 18.12.19.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.19, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.19.\n\nUsers are recommended to upgrade to version 18.12.19, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T14:43:49.721Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation",
"release-notes",
"product"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13219"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/8d718qt8dqthnw1gmyxsq8glfdjklnjf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache OFBiz: Stored XSS Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-30676",
"datePublished": "2025-04-01T14:43:49.721Z",
"dateReserved": "2025-03-25T07:44:43.788Z",
"dateUpdated": "2025-04-02T22:03:27.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26865 (GCVE-0-2025-26865)
Vulnerability from cvelistv5 – Published: 2025-03-10 14:01 – Updated: 2025-03-11 19:26
VLAI?
Summary
Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: from 18.12.17 before 18.12.18.
It's a regression between 18.12.17 and 18.12.18.
In case you use something like that, which is not recommended!
For security, only official releases should be used.
In other words, if you use 18.12.17 you are still safe.
The version 18.12.17 is not a affected.
But something between 18.12.17 and 18.12.18 is.
In that case, users are recommended to upgrade to version 18.12.18, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
18.12.17 , < 18.12.18
(custom)
|
Credits
Matei "Mal" Badanoiu
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-03-10T14:03:22.308Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/03/07/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-26865",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-11T19:25:54.489016Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T19:26:51.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "18.12.18",
"status": "affected",
"version": "18.12.17",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matei \"Mal\" Badanoiu"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: from 18.12.17 before 18.12.18.\u0026nbsp;\u0026nbsp;\u003c/p\u003eIt\u0027s a regression between 18.12.17 and 18.12.18.\u003cbr\u003eIn case you use something like that, which is not recommended!\u003cbr\u003eFor security, only official releases should be used.\u003cbr\u003e\u003cbr\u003eIn other words, if you use 18.12.17 you are still safe.\u003cbr\u003eThe version 18.12.17 is not a affected.\u003cbr\u003eBut something between 18.12.17 and 18.12.18 is.\u003cbr\u003e\u003cbr\u003eIn that case, users are recommended to upgrade to version 18.12.18, which fixes the issue.\u003cbr\u003e"
}
],
"value": "Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: from 18.12.17 before 18.12.18.\u00a0\u00a0\n\nIt\u0027s a regression between 18.12.17 and 18.12.18.\nIn case you use something like that, which is not recommended!\nFor security, only official releases should be used.\n\nIn other words, if you use 18.12.17 you are still safe.\nThe version 18.12.17 is not a affected.\nBut something between 18.12.17 and 18.12.18 is.\n\nIn that case, users are recommended to upgrade to version 18.12.18, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T14:01:06.952Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation",
"release-notes",
"product"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-12594"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/prb48ztk01bflyyjbl6p56wlcc1n5sz7"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Server-Side Template Injection affecting the ecommerce plugin leading to possible RCE",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-26865",
"datePublished": "2025-03-10T14:01:06.952Z",
"dateReserved": "2025-02-17T09:53:13.390Z",
"dateUpdated": "2025-03-11T19:26:51.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47208 (GCVE-0-2024-47208)
Vulnerability from cvelistv5 – Published: 2024-11-18 08:43 – Updated: 2024-11-19 14:59
VLAI?
Summary
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.17.
Users are recommended to upgrade to version 18.12.17, which fixes the issue.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
0 , < 18.12.17
(semver)
|
Credits
孙相 (Sun Xiang)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-11-18T09:03:46.416Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/11/16/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-47208",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T14:57:40.485280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T14:59:02.765Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "18.12.17",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\u5b59\u76f8 (Sun Xiang)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eServer-Side Request Forgery (SSRF), Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 18.12.17.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.17, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF), Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.17.\n\nUsers are recommended to upgrade to version 18.12.17, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-18T08:43:17.743Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation",
"product",
"release-notes"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13158"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/022r19skfofhv3lzql33vowlrvqndh11"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: URLs allowing remote use of Groovy expressions, leading to RCE",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-47208",
"datePublished": "2024-11-18T08:43:17.743Z",
"dateReserved": "2024-09-21T11:29:47.639Z",
"dateUpdated": "2024-11-19T14:59:02.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-48962 (GCVE-0-2024-48962)
Vulnerability from cvelistv5 – Published: 2024-11-18 08:41 – Updated: 2024-11-21 15:34
VLAI?
Summary
Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.17.
Users are recommended to upgrade to version 18.12.17, which fixes the issue.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
0 , < 18.12.17
(semver)
|
Credits
Sebastiano Sartor <s@sebsrt.xyz>
Ryan <marimoo.eth@gmail.com>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-11-18T09:03:47.896Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/11/16/2"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ofbiz",
"vendor": "apache",
"versions": [
{
"lessThan": "18.12.17",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48962",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T15:43:23.785657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T15:34:27.275Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "18.12.17",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sebastiano Sartor \u003cs@sebsrt.xyz\u003e"
},
{
"lang": "en",
"type": "finder",
"value": "Ryan \u003cmarimoo.eth@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Control of Generation of Code (\u0027Code Injection\u0027), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 18.12.17.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.17, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.17.\n\nUsers are recommended to upgrade to version 18.12.17, which fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N/R:U/V:C/RE:H/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-18T08:41:30.545Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation",
"release-notes",
"product"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13162"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/6sddh4pts90cp8ktshqb4xykdp6lb6q6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-48962",
"datePublished": "2024-11-18T08:41:30.545Z",
"dateReserved": "2024-10-10T06:25:35.776Z",
"dateUpdated": "2024-11-21T15:34:27.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45195 (GCVE-0-2024-45195)
Vulnerability from cvelistv5 – Published: 2024-09-04 08:08 – Updated: 2025-10-21 22:55
VLAI?
Summary
Direct Request ('Forced Browsing') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.16.
Users are recommended to upgrade to version 18.12.16, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-425 - Direct Request ('Forced Browsing')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
0 , < 18.12.16
(custom)
|
Credits
shin24 from National Cyber Security Vietnam
LuanPV from National Cyber Security Vietnam
Ryan Emmons, Lead Security Researcher at Rapid7
Hasib Vhora, Senior Threat Researcher, SonicWall
Xenc from SGLAB of Legendsec at Qi'anxin Group
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-09-04T09:03:00.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/03/6"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ofbiz",
"vendor": "apache",
"versions": [
{
"lessThan": "18.12.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45195",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T15:46:50.643589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-02-04",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45195"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:46.145Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45195"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-04T00:00:00+00:00",
"value": "CVE-2024-45195 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "18.12.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "shin24 from National Cyber Security Vietnam"
},
{
"lang": "en",
"type": "finder",
"value": "LuanPV from National Cyber Security Vietnam"
},
{
"lang": "en",
"type": "finder",
"value": "Ryan Emmons, Lead Security Researcher at Rapid7"
},
{
"lang": "en",
"type": "finder",
"value": "Hasib Vhora, Senior Threat Researcher, SonicWall"
},
{
"lang": "en",
"type": "finder",
"value": "Xenc from SGLAB of Legendsec at Qi\u0027anxin Group"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDirect Request (\u0027Forced Browsing\u0027) vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 18.12.16.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.16, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Direct Request (\u0027Forced Browsing\u0027) vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.16.\n\nUsers are recommended to upgrade to version 18.12.16, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-425",
"description": "CWE-425 Direct Request (\u0027Forced Browsing\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T08:08:59.201Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation",
"product",
"release-notes"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13130"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Confused controller-view authorization logic (forced browsing)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45195",
"datePublished": "2024-09-04T08:08:59.201Z",
"dateReserved": "2024-08-22T15:19:27.892Z",
"dateUpdated": "2025-10-21T22:55:46.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45507 (GCVE-0-2024-45507)
Vulnerability from cvelistv5 – Published: 2024-09-04 08:08 – Updated: 2024-09-13 03:55
VLAI?
Summary
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.16.
Users are recommended to upgrade to version 18.12.16, which fixes the issue.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
0 , < 18.12.16
(semver)
|
Credits
孙相 (Sun Xiang)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-09-04T09:03:02.164Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/03/7"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_ofbiz:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_ofbiz",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThan": "18.12.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45507",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T03:55:20.597Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "18.12.16",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\u5b59\u76f8 (Sun Xiang)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eServer-Side Request Forgery (SSRF), Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 18.12.16.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.16, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF), Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.16.\n\nUsers are recommended to upgrade to version 18.12.16, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T08:08:33.876Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation",
"product",
"release-notes"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13132"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache OFBiz: Prevent use of URLs in files when loading them from Java or Groovy, leading to a RCE",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45507",
"datePublished": "2024-09-04T08:08:33.876Z",
"dateReserved": "2024-09-01T14:10:41.649Z",
"dateUpdated": "2024-09-13T03:55:20.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38856 (GCVE-0-2024-38856)
Vulnerability from cvelistv5 – Published: 2024-08-05 08:20 – Updated: 2025-10-21 22:55
VLAI?
Summary
Incorrect Authorization vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: through 18.12.14.
Users are recommended to upgrade to version 18.12.15, which fixes the issue.
Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
Severity ?
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
0 , ≤ 18.12.14
(custom)
|
Credits
unam4
ruozhi
m1sn0w
kuiplatain
PaperPen@Timeline Sec
RacerZ
e0mlja
Donghyun
4ra1n
godspeed
Hasib Vhora
pwnull
blckder02-YHLab
Xenc from SGLAB of Legendsec at Qi'anxin Group
Nicholas Zubrisky.
Y4tacker
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:02:45.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/04/1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ofbiz",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "18.12.14",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-38856",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-31T03:55:28.345914Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-08-27",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38856"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:48.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38856"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-27T00:00:00+00:00",
"value": "CVE-2024-38856 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "18.12.14",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "unam4"
},
{
"lang": "en",
"type": "finder",
"value": "ruozhi"
},
{
"lang": "en",
"type": "finder",
"value": "m1sn0w"
},
{
"lang": "en",
"type": "finder",
"value": "kuiplatain"
},
{
"lang": "en",
"type": "finder",
"value": "PaperPen@Timeline Sec"
},
{
"lang": "en",
"type": "finder",
"value": "RacerZ"
},
{
"lang": "en",
"type": "finder",
"value": "e0mlja"
},
{
"lang": "en",
"type": "finder",
"value": "Donghyun"
},
{
"lang": "en",
"type": "finder",
"value": "4ra1n"
},
{
"lang": "en",
"type": "finder",
"value": "godspeed"
},
{
"lang": "en",
"type": "finder",
"value": "Hasib Vhora"
},
{
"lang": "en",
"type": "finder",
"value": "pwnull"
},
{
"lang": "en",
"type": "finder",
"value": "blckder02-YHLab"
},
{
"lang": "en",
"type": "finder",
"value": "Xenc from SGLAB of Legendsec at Qi\u0027anxin Group"
},
{
"lang": "en",
"type": "finder",
"value": "Nicholas Zubrisky."
},
{
"lang": "en",
"type": "finder",
"value": "Y4tacker"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Authorization vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: through 18.12.14.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.15, which fixes the issue.\u003c/p\u003eUnauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don\u0027t explicitly check user\u0027s permissions because they rely on the configuration of their endpoints).\u003cbr\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: through 18.12.14.\n\nUsers are recommended to upgrade to version 18.12.15, which fixes the issue.\n\nUnauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don\u0027t explicitly check user\u0027s permissions because they rely on the configuration of their endpoints)."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T08:20:18.081Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"product",
"mitigation"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"related"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13128"
}
],
"source": {
"defect": [
"OFBIZ-13128"
],
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Unauthenticated endpoint could allow execution of screen rendering code",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-38856",
"datePublished": "2024-08-05T08:20:18.081Z",
"dateReserved": "2024-06-20T07:28:36.680Z",
"dateUpdated": "2025-10-21T22:55:48.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61623 (GCVE-0-2025-61623)
Vulnerability from nvd – Published: 2025-11-12 09:16 – Updated: 2025-11-12 14:29
VLAI?
Summary
Reflected cross-site scripting vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.03.
Users are recommended to upgrade to version 24.09.03, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
0 , < 24.09.03
(semver)
|
Credits
RedHive Team (security@hive.red) https://hive.red/en/
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-12T10:06:02.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/11/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-61623",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:29:21.144167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T14:29:43.400Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "24.09.03",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "RedHive Team (security@hive.red) https://hive.red/en/"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eReflected cross-site scripting vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 24.09.03.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 24.09.03, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Reflected cross-site scripting vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 24.09.03.\n\nUsers are recommended to upgrade to version 24.09.03, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T09:16:58.139Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13295"
},
{
"tags": [
"mitigation"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"release-notes"
],
"url": "https://ofbiz.apache.org/release-notes-24.09.03.html"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/sb2mngrg766qbqt5g29fo0qblk3v4x5y"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Reflected Cross-site Scripting",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-61623",
"datePublished": "2025-11-12T09:16:58.139Z",
"dateReserved": "2025-09-29T07:04:49.932Z",
"dateUpdated": "2025-11-12T14:29:43.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59118 (GCVE-0-2025-59118)
Vulnerability from nvd – Published: 2025-11-12 09:15 – Updated: 2025-11-12 14:31
VLAI?
Summary
Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.03.
Users are recommended to upgrade to version 24.09.03, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
0 , < 24.09.03
(custom)
|
Credits
RedHive Team (security@hive.red) https://hive.red/en/
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-12T10:06:00.568Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/11/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-59118",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:31:40.016692Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T14:31:48.367Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "24.09.03",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "RedHive Team (security@hive.red) https://hive.red/en/"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUnrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 24.09.03.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 24.09.03, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 24.09.03.\n\nUsers are recommended to upgrade to version 24.09.03, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T09:15:54.263Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"release-notes"
],
"url": "https://ofbiz.apache.org/release-notes-24.09.03.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13292"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/202263kpy7g76pzsy1fm96h9lcmhsqpt"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Critical Remote Command Execution via Unrestricted File Upload",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-59118",
"datePublished": "2025-11-12T09:15:54.263Z",
"dateReserved": "2025-09-09T09:57:31.247Z",
"dateUpdated": "2025-11-12T14:31:48.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54466 (GCVE-0-2025-54466)
Vulnerability from nvd – Published: 2025-08-15 14:13 – Updated: 2025-11-04 21:12
VLAI?
Summary
Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.
This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used.
Even unauthenticated attackers can exploit this vulnerability.
Users are recommended to upgrade to version 24.09.02, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
0 , < 24.09.02
(custom)
|
Credits
Teeramet Eakwilai <teeramet@datafarm.co.th>
Thanasin Luangpipat
Jarukit Auikritskul
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-54466",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-18T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-19T03:55:29.855Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:12:47.762Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/05/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "24.09.02",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Teeramet Eakwilai \u003cteeramet@datafarm.co.th\u003e"
},
{
"lang": "en",
"type": "finder",
"value": "Thanasin Luangpipat"
},
{
"lang": "en",
"type": "finder",
"value": "Jarukit Auikritskul"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability leading to a possible RCE in Apache OFBiz\u0026nbsp;scrum plugin.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache OFBiz: before 24.09.02 only when the\u0026nbsp;scrum plugin is used.\u003c/p\u003e\u003cp\u003eEven unauthenticated attackers can exploit this vulnerability.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 24.09.02, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability leading to a possible RCE in Apache OFBiz\u00a0scrum plugin.\n\nThis issue affects Apache OFBiz: before 24.09.02 only when the\u00a0scrum plugin is used.\n\nEven unauthenticated attackers can exploit this vulnerability.\n\n\nUsers are recommended to upgrade to version 24.09.02, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T14:13:52.584Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"related"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"release-notes"
],
"url": "https://ofbiz.apache.org/release-notes-24.09.02.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13276"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/14d0yd9co9gx2mctd3vyz1cc8d39n915"
}
],
"source": {
"defect": [
"OFBIZ-13276"
],
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: RCE Vulnerability in scrum plugin",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-54466",
"datePublished": "2025-08-15T14:13:52.584Z",
"dateReserved": "2025-07-23T08:08:20.796Z",
"dateUpdated": "2025-11-04T21:12:47.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30676 (GCVE-0-2025-30676)
Vulnerability from nvd – Published: 2025-04-01 14:43 – Updated: 2025-04-02 22:03
VLAI?
Summary
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.19.
Users are recommended to upgrade to version 18.12.19, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
0 , < 18.12.19
(semver)
|
Credits
Khaled Nassar (@mindpatch)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-30676",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T19:18:34.226471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T19:19:46.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-04-02T22:03:27.945Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/01/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "18.12.19",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khaled Nassar (@mindpatch)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 18.12.19.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.19, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.19.\n\nUsers are recommended to upgrade to version 18.12.19, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T14:43:49.721Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation",
"release-notes",
"product"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13219"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/8d718qt8dqthnw1gmyxsq8glfdjklnjf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache OFBiz: Stored XSS Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-30676",
"datePublished": "2025-04-01T14:43:49.721Z",
"dateReserved": "2025-03-25T07:44:43.788Z",
"dateUpdated": "2025-04-02T22:03:27.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26865 (GCVE-0-2025-26865)
Vulnerability from nvd – Published: 2025-03-10 14:01 – Updated: 2025-03-11 19:26
VLAI?
Summary
Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: from 18.12.17 before 18.12.18.
It's a regression between 18.12.17 and 18.12.18.
In case you use something like that, which is not recommended!
For security, only official releases should be used.
In other words, if you use 18.12.17 you are still safe.
The version 18.12.17 is not a affected.
But something between 18.12.17 and 18.12.18 is.
In that case, users are recommended to upgrade to version 18.12.18, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
18.12.17 , < 18.12.18
(custom)
|
Credits
Matei "Mal" Badanoiu
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-03-10T14:03:22.308Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/03/07/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-26865",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-11T19:25:54.489016Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T19:26:51.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "18.12.18",
"status": "affected",
"version": "18.12.17",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matei \"Mal\" Badanoiu"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: from 18.12.17 before 18.12.18.\u0026nbsp;\u0026nbsp;\u003c/p\u003eIt\u0027s a regression between 18.12.17 and 18.12.18.\u003cbr\u003eIn case you use something like that, which is not recommended!\u003cbr\u003eFor security, only official releases should be used.\u003cbr\u003e\u003cbr\u003eIn other words, if you use 18.12.17 you are still safe.\u003cbr\u003eThe version 18.12.17 is not a affected.\u003cbr\u003eBut something between 18.12.17 and 18.12.18 is.\u003cbr\u003e\u003cbr\u003eIn that case, users are recommended to upgrade to version 18.12.18, which fixes the issue.\u003cbr\u003e"
}
],
"value": "Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: from 18.12.17 before 18.12.18.\u00a0\u00a0\n\nIt\u0027s a regression between 18.12.17 and 18.12.18.\nIn case you use something like that, which is not recommended!\nFor security, only official releases should be used.\n\nIn other words, if you use 18.12.17 you are still safe.\nThe version 18.12.17 is not a affected.\nBut something between 18.12.17 and 18.12.18 is.\n\nIn that case, users are recommended to upgrade to version 18.12.18, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T14:01:06.952Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation",
"release-notes",
"product"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-12594"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/prb48ztk01bflyyjbl6p56wlcc1n5sz7"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Server-Side Template Injection affecting the ecommerce plugin leading to possible RCE",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-26865",
"datePublished": "2025-03-10T14:01:06.952Z",
"dateReserved": "2025-02-17T09:53:13.390Z",
"dateUpdated": "2025-03-11T19:26:51.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47208 (GCVE-0-2024-47208)
Vulnerability from nvd – Published: 2024-11-18 08:43 – Updated: 2024-11-19 14:59
VLAI?
Summary
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.17.
Users are recommended to upgrade to version 18.12.17, which fixes the issue.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
0 , < 18.12.17
(semver)
|
Credits
孙相 (Sun Xiang)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-11-18T09:03:46.416Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/11/16/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-47208",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T14:57:40.485280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T14:59:02.765Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "18.12.17",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\u5b59\u76f8 (Sun Xiang)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eServer-Side Request Forgery (SSRF), Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 18.12.17.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.17, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF), Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.17.\n\nUsers are recommended to upgrade to version 18.12.17, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-18T08:43:17.743Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation",
"product",
"release-notes"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13158"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/022r19skfofhv3lzql33vowlrvqndh11"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: URLs allowing remote use of Groovy expressions, leading to RCE",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-47208",
"datePublished": "2024-11-18T08:43:17.743Z",
"dateReserved": "2024-09-21T11:29:47.639Z",
"dateUpdated": "2024-11-19T14:59:02.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-48962 (GCVE-0-2024-48962)
Vulnerability from nvd – Published: 2024-11-18 08:41 – Updated: 2024-11-21 15:34
VLAI?
Summary
Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.17.
Users are recommended to upgrade to version 18.12.17, which fixes the issue.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
0 , < 18.12.17
(semver)
|
Credits
Sebastiano Sartor <s@sebsrt.xyz>
Ryan <marimoo.eth@gmail.com>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-11-18T09:03:47.896Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/11/16/2"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ofbiz",
"vendor": "apache",
"versions": [
{
"lessThan": "18.12.17",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48962",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T15:43:23.785657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T15:34:27.275Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "18.12.17",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sebastiano Sartor \u003cs@sebsrt.xyz\u003e"
},
{
"lang": "en",
"type": "finder",
"value": "Ryan \u003cmarimoo.eth@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Control of Generation of Code (\u0027Code Injection\u0027), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 18.12.17.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.17, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.17.\n\nUsers are recommended to upgrade to version 18.12.17, which fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N/R:U/V:C/RE:H/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-18T08:41:30.545Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation",
"release-notes",
"product"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13162"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/6sddh4pts90cp8ktshqb4xykdp6lb6q6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-48962",
"datePublished": "2024-11-18T08:41:30.545Z",
"dateReserved": "2024-10-10T06:25:35.776Z",
"dateUpdated": "2024-11-21T15:34:27.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45195 (GCVE-0-2024-45195)
Vulnerability from nvd – Published: 2024-09-04 08:08 – Updated: 2025-10-21 22:55
VLAI?
Summary
Direct Request ('Forced Browsing') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.16.
Users are recommended to upgrade to version 18.12.16, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-425 - Direct Request ('Forced Browsing')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
0 , < 18.12.16
(custom)
|
Credits
shin24 from National Cyber Security Vietnam
LuanPV from National Cyber Security Vietnam
Ryan Emmons, Lead Security Researcher at Rapid7
Hasib Vhora, Senior Threat Researcher, SonicWall
Xenc from SGLAB of Legendsec at Qi'anxin Group
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-09-04T09:03:00.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/03/6"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ofbiz",
"vendor": "apache",
"versions": [
{
"lessThan": "18.12.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45195",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T15:46:50.643589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-02-04",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45195"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:46.145Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45195"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-04T00:00:00+00:00",
"value": "CVE-2024-45195 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "18.12.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "shin24 from National Cyber Security Vietnam"
},
{
"lang": "en",
"type": "finder",
"value": "LuanPV from National Cyber Security Vietnam"
},
{
"lang": "en",
"type": "finder",
"value": "Ryan Emmons, Lead Security Researcher at Rapid7"
},
{
"lang": "en",
"type": "finder",
"value": "Hasib Vhora, Senior Threat Researcher, SonicWall"
},
{
"lang": "en",
"type": "finder",
"value": "Xenc from SGLAB of Legendsec at Qi\u0027anxin Group"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDirect Request (\u0027Forced Browsing\u0027) vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 18.12.16.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.16, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Direct Request (\u0027Forced Browsing\u0027) vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.16.\n\nUsers are recommended to upgrade to version 18.12.16, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-425",
"description": "CWE-425 Direct Request (\u0027Forced Browsing\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T08:08:59.201Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation",
"product",
"release-notes"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13130"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Confused controller-view authorization logic (forced browsing)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45195",
"datePublished": "2024-09-04T08:08:59.201Z",
"dateReserved": "2024-08-22T15:19:27.892Z",
"dateUpdated": "2025-10-21T22:55:46.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45507 (GCVE-0-2024-45507)
Vulnerability from nvd – Published: 2024-09-04 08:08 – Updated: 2024-09-13 03:55
VLAI?
Summary
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.16.
Users are recommended to upgrade to version 18.12.16, which fixes the issue.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
0 , < 18.12.16
(semver)
|
Credits
孙相 (Sun Xiang)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-09-04T09:03:02.164Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/03/7"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_ofbiz:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_ofbiz",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThan": "18.12.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45507",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T03:55:20.597Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "18.12.16",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\u5b59\u76f8 (Sun Xiang)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eServer-Side Request Forgery (SSRF), Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 18.12.16.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.16, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF), Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.16.\n\nUsers are recommended to upgrade to version 18.12.16, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T08:08:33.876Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation",
"product",
"release-notes"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13132"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache OFBiz: Prevent use of URLs in files when loading them from Java or Groovy, leading to a RCE",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45507",
"datePublished": "2024-09-04T08:08:33.876Z",
"dateReserved": "2024-09-01T14:10:41.649Z",
"dateUpdated": "2024-09-13T03:55:20.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38856 (GCVE-0-2024-38856)
Vulnerability from nvd – Published: 2024-08-05 08:20 – Updated: 2025-10-21 22:55
VLAI?
Summary
Incorrect Authorization vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: through 18.12.14.
Users are recommended to upgrade to version 18.12.15, which fixes the issue.
Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
Severity ?
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
0 , ≤ 18.12.14
(custom)
|
Credits
unam4
ruozhi
m1sn0w
kuiplatain
PaperPen@Timeline Sec
RacerZ
e0mlja
Donghyun
4ra1n
godspeed
Hasib Vhora
pwnull
blckder02-YHLab
Xenc from SGLAB of Legendsec at Qi'anxin Group
Nicholas Zubrisky.
Y4tacker
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:02:45.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/04/1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ofbiz",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "18.12.14",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-38856",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-31T03:55:28.345914Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-08-27",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38856"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:48.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38856"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-27T00:00:00+00:00",
"value": "CVE-2024-38856 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "18.12.14",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "unam4"
},
{
"lang": "en",
"type": "finder",
"value": "ruozhi"
},
{
"lang": "en",
"type": "finder",
"value": "m1sn0w"
},
{
"lang": "en",
"type": "finder",
"value": "kuiplatain"
},
{
"lang": "en",
"type": "finder",
"value": "PaperPen@Timeline Sec"
},
{
"lang": "en",
"type": "finder",
"value": "RacerZ"
},
{
"lang": "en",
"type": "finder",
"value": "e0mlja"
},
{
"lang": "en",
"type": "finder",
"value": "Donghyun"
},
{
"lang": "en",
"type": "finder",
"value": "4ra1n"
},
{
"lang": "en",
"type": "finder",
"value": "godspeed"
},
{
"lang": "en",
"type": "finder",
"value": "Hasib Vhora"
},
{
"lang": "en",
"type": "finder",
"value": "pwnull"
},
{
"lang": "en",
"type": "finder",
"value": "blckder02-YHLab"
},
{
"lang": "en",
"type": "finder",
"value": "Xenc from SGLAB of Legendsec at Qi\u0027anxin Group"
},
{
"lang": "en",
"type": "finder",
"value": "Nicholas Zubrisky."
},
{
"lang": "en",
"type": "finder",
"value": "Y4tacker"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Authorization vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: through 18.12.14.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.15, which fixes the issue.\u003c/p\u003eUnauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don\u0027t explicitly check user\u0027s permissions because they rely on the configuration of their endpoints).\u003cbr\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: through 18.12.14.\n\nUsers are recommended to upgrade to version 18.12.15, which fixes the issue.\n\nUnauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don\u0027t explicitly check user\u0027s permissions because they rely on the configuration of their endpoints)."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T08:20:18.081Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"product",
"mitigation"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"related"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13128"
}
],
"source": {
"defect": [
"OFBIZ-13128"
],
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Unauthenticated endpoint could allow execution of screen rendering code",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-38856",
"datePublished": "2024-08-05T08:20:18.081Z",
"dateReserved": "2024-06-20T07:28:36.680Z",
"dateUpdated": "2025-10-21T22:55:48.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}