CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-25370 – Unauth Stored XSS vulnerability in the Birt plugin of Apache OFBiz
https://notcve.org/view.php?id=CVE-2022-25370
02 Sep 2022 — Apache OFBiz uses the Birt plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. In Apache OFBiz release 18.12.05, and earlier versions, by leveraging a vulnerability in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142), an unauthenticated malicious user could perform a stored XSS attack in order to inject a malicious payload and execute it using the stored XSS. Apache OFBiz usa el plugin Birt (https://eclipse.github.io/birt-website/) para crear visualizacione... • http://www.openwall.com/lists/oss-security/2022/09/02/8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2021-37608 – Arbitrary file upload vulnerability in OFBiz
https://notcve.org/view.php?id=CVE-2021-37608
18 Aug 2021 — Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands. This issue affects Apache OFBiz version 17.12.07 and prior versions. Upgrade to at least 17.12.08 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12297. Una vulnerabilidad de Carga sin Restricciones de Archivos de Tipo Peligroso en Apache OFBiz, permite a un atacante ejecutar comandos remotos. Este problema afecta a Apache OFBiz versión 17.12.07 y versiones anteriores.... • https://lists.apache.org/thread.html/r164c91c47d638869c38e41b3ce501ecaa71f385939f098b2e04df049%40%3Cnotifications.ofbiz.apache.org%3E • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 56%CPEs: 1EXPL: 1CVE-2021-30128 – Unsafe deserialization in Apache OFBiz
https://notcve.org/view.php?id=CVE-2021-30128
27 Apr 2021 — Apache OFBiz has unsafe deserialization prior to 17.12.07 version Apache OFBiz, presenta una deserialización no segura, anterior a versión 17.12.07 • https://github.com/LioTree/CVE-2021-30128-EXP • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 91%CPEs: 1EXPL: 1CVE-2021-29200 – RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI
https://notcve.org/view.php?id=CVE-2021-29200
27 Apr 2021 — Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack Apache OFBiz, presenta deserialización no segura anteriores a versión 17.12.07. Un usuario no autenticado puede llevar a cabo un ataque RCE • https://github.com/freeide/CVE-2021-29200 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 97%CPEs: 1EXPL: 7CVE-2021-26295 – RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI
https://notcve.org/view.php?id=CVE-2021-26295
22 Mar 2021 — Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz. Apache OFBiz, presenta una deserialización no segura versiones anteriores a 17.12.06. Un atacante no autenticado puede usar esta vulnerabilidad para apoderarse con éxito de Apache OFBiz • https://packetstorm.news/files/id/162104 • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-13923
https://notcve.org/view.php?id=CVE-2020-13923
15 Jul 2020 — IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04 Vulnerabilidad de IDOR en la funcionalidad order processing del componente ecommerce de Apache OFBiz versiones anteriores a 17.12.04 • https://lists.apache.org/thread.html/r0a0a701610b3bcdf14634047313adab3f1628bb9aa55cf29cd262ef5%40%3Ccommits.ofbiz.apache.org%3E • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.4EPSS: 0%CPEs: 8EXPL: 1CVE-2013-0177 – Apache OFBiz 10.4.x - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-0177
30 Jan 2014 — Multiple cross-site scripting (XSS) vulnerabilities in widget/screen/ModelScreenWidget.java in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.05, 11.04.01, and possibly 09.04.x allow remote authenticated users to inject arbitrary web script or HTML via the (1) Screenlet.title or (2) Image.alt Widget attribute, as demonstrated by the parentPortalPageId parameter to exampleext/control/ManagePortalPages. Múltiples vulnerabilidades de XSS en widget/screen/ModelScreenWidget.java en Apache Open... • https://www.exploit-db.com/exploits/38230 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 5CVE-2010-0432 – Apache OFBiz - Admin Creator
https://notcve.org/view.php?id=CVE-2010-0432
15 Apr 2010 — Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 09.04 and earlier, as used in Opentaps, Neogia, and Entente Oya, allow remote attackers to inject arbitrary web script or HTML via (1) the productStoreId parameter to control/exportProductListing, (2) the partyId parameter to partymgr/control/viewprofile (aka partymgr/control/login), (3) the start parameter to myportal/control/showPortalPage, (4) an invalid URI beginning with /facility/control/ReceiveRetu... • https://www.exploit-db.com/exploits/12264 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •