CVE-2024-45195 – Apache OFBiz: Confused controller-view authorization logic (forced browsing)
https://notcve.org/view.php?id=CVE-2024-45195
Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. Vulnerabilidad Direct Request ("Navegación forzada") en Apache OFBiz. Este problema afecta a Apache OFBiz: anterior a la versión 18.12.16. Se recomienda a los usuarios que actualicen a la versión 18.12.16, que soluciona el problema. • https://issues.apache.org/jira/browse/OFBIZ-13130 https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html • CWE-425: Direct Request ('Forced Browsing') •
CVE-2024-45507 – Apache OFBiz: Prevent use of URLs in files when loading them from Java or Groovy, leading to a RCE
https://notcve.org/view.php?id=CVE-2024-45507
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. Vulnerabilidad de Server-Side Request Forgery (SSRF) y control inadecuado de la generación de código ('inyección de código') en Apache OFBiz. Este problema afecta a Apache OFBiz: anterior a la versión 18.12.16. Se recomienda a los usuarios que actualicen a la versión 18.12.16, que soluciona el problema. • https://issues.apache.org/jira/browse/OFBIZ-13132 https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2024-38856 – Apache OFBiz Incorrect Authorization Vulnerability
https://notcve.org/view.php?id=CVE-2024-38856
Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints). This vulnerability allows remote attackers to bypass authentication on affected installations of Apache OFBiz. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the resolveURI method. The issue results from improper URI validation. An attacker can leverage this vulnerability to bypass authentication on the system. • https://github.com/codeb0ss/CVE-2024-38856-PoC https://github.com/Praison001/CVE-2024-38856-ApacheOfBiz https://github.com/0x20c/CVE-2024-38856-EXP https://github.com/ThatNotEasy/CVE-2024-38856 https://github.com/BBD-YZZ/CVE-2024-38856-RCE https://github.com/emanueldosreis/CVE-2024-38856 https://issues.apache.org/jira/browse/OFBIZ-13128 https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html • CWE-863: Incorrect Authorization •
CVE-2024-36104 – Apache OFBiz: Path traversal leading to a RCE
https://notcve.org/view.php?id=CVE-2024-36104
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue. Limitación inadecuada de una vulnerabilidad de nombre de ruta a un directorio restringido ("Path Traversal") en Apache OFBiz. Este problema afecta a Apache OFBiz: antes del 18.12.14. Se recomienda a los usuarios actualizar a la versión 18.12.14, que soluciona el problema. • https://github.com/ggfzx/CVE-2024-36104 http://www.openwall.com/lists/oss-security/2024/06/03/1 https://issues.apache.org/jira/browse/OFBIZ-13092 https://lists.apache.org/thread/sv0xr8b1j7mmh5p37yldy9vmnzbodz2o https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2024-32113 – Apache OFBiz Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2024-32113
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue. Limitación inadecuada de una vulnerabilidad de nombre de ruta a un directorio restringido ("Path Traversal") en Apache OFBiz. Este problema afecta a Apache OFBiz: antes del 18.12.13. Se recomienda a los usuarios actualizar a la versión 18.12.13, que soluciona el problema. Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution. • https://www.exploit-db.com/exploits/52020 https://github.com/Mr-xn/CVE-2024-32113 https://github.com/RacerZ-fighting/CVE-2024-32113-POC https://github.com/YongYe-Security/CVE-2024-32113 http://www.openwall.com/lists/oss-security/2024/05/09/1 https://issues.apache.org/jira/browse/OFBIZ-13006 https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •