CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47208 – Apache OFBiz: URLs allowing remote use of Groovy expressions, leading to RCE
https://notcve.org/view.php?id=CVE-2024-47208
18 Nov 2024 — Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue. • https://issues.apache.org/jira/browse/OFBIZ-13158 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48962 – Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE)
https://notcve.org/view.php?id=CVE-2024-48962
18 Nov 2024 — Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue. • https://issues.apache.org/jira/browse/OFBIZ-13162 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-352: Cross-Site Request Forgery (CSRF) CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 10.0EPSS: 75%CPEs: 1EXPL: 0CVE-2024-45195 – Apache OFBiz Forced Browsing Vulnerability
https://notcve.org/view.php?id=CVE-2024-45195
04 Sep 2024 — Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. Vulnerabilidad Direct Request ("Navegación forzada") en Apache OFBiz. Este problema afecta a Apache OFBiz: anterior a la versión 18.12.16. • https://issues.apache.org/jira/browse/OFBIZ-13130 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 10.0EPSS: 65%CPEs: 1EXPL: 1CVE-2024-45507 – Apache OFBiz: Prevent use of URLs in files when loading them from Java or Groovy, leading to a RCE
https://notcve.org/view.php?id=CVE-2024-45507
04 Sep 2024 — Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. Vulnerabilidad de Server-Side Request Forgery (SSRF) y control inadecuado de la generación de código ('inyección de código') en Apache OFBiz. Este problema afecta a Apache OFBiz: anterior a la versión 18.12.16. • https://github.com/Avento/CVE-2024-45507_Behinder_Webshell • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 94%CPEs: 1EXPL: 10CVE-2024-38856 – Apache OFBiz Incorrect Authorization Vulnerability
https://notcve.org/view.php?id=CVE-2024-38856
05 Aug 2024 — Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints). This vulnerability allows remote attackers to bypass authentication on affec... • https://github.com/codeb0ss/CVE-2024-38856-PoC • CWE-863: Incorrect Authorization •
CVSS: 9.1EPSS: 1%CPEs: 1EXPL: 1CVE-2024-36104 – Apache OFBiz: Path traversal leading to a RCE
https://notcve.org/view.php?id=CVE-2024-36104
04 Jun 2024 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue. Limitación inadecuada de una vulnerabilidad de nombre de ruta a un directorio restringido ("Path Traversal") en Apache OFBiz. Este problema afecta a Apache OFBiz: antes del 18.12.14. • https://github.com/ggfzx/CVE-2024-36104 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 93%CPEs: 1EXPL: 6CVE-2024-32113 – Apache OFBiz Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2024-32113
08 May 2024 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue. Limitación inadecuada de una vulnerabilidad de nombre de ruta a un directorio restringido ("Path Traversal") en Apache OFBiz. Este problema afecta a Apache OFBiz: antes del 18.12.13. Se recomienda a los usuarios actualizar a la versión 18.12.13, que soluciona el problema. • https://packetstorm.news/files/id/179138 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25065 – Apache OFBiz: Path traversal allowing authentication bypass.
https://notcve.org/view.php?id=CVE-2024-25065
28 Feb 2024 — Possible path traversal in Apache OFBiz allowing authentication bypass. Users are recommended to upgrade to version 18.12.12, that fixes the issue. Posible path traversal en Apache OFBiz que permite omitir la autenticación. Se recomienda a los usuarios actualizar a la versión 18.12.12, que soluciona el problema. Possible path traversal in Apache OFBiz allowing authentication bypass. Users are recommended to upgrade to version 18.12.12, that fixes the issue. • http://www.openwall.com/lists/oss-security/2024/02/28/10 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23946 – Apache OFBiz: Path traversal or file inclusion
https://notcve.org/view.php?id=CVE-2024-23946
21 Feb 2024 — Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue. Posible path traversal en Apache OFBiz permitiendo la inclusión de archivos. Se recomienda a los usuarios actualizar a la versión 18.12.12, que soluciona el problema. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apache OFBiz. Authentication is not required to exploit this vulnerability. The specific flaw exis... • http://www.openwall.com/lists/oss-security/2024/02/28/9 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 66%CPEs: 1EXPL: 12CVE-2023-51467 – Apache OFBiz: Pre-authentication Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2023-51467
26 Dec 2023 — The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code La vulnerabilidad permite a los atacantes omitir la autenticación para lograr Server-Side Request Forgery (SSRF) simple. • https://github.com/Chocapikk/CVE-2023-51467 • CWE-918: Server-Side Request Forgery (SSRF) •