CVE-2020-13923
https://notcve.org/view.php?id=CVE-2020-13923
IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04 Vulnerabilidad de IDOR en la funcionalidad order processing del componente ecommerce de Apache OFBiz versiones anteriores a 17.12.04 • https://lists.apache.org/thread.html/r0a0a701610b3bcdf14634047313adab3f1628bb9aa55cf29cd262ef5%40%3Ccommits.ofbiz.apache.org%3E https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3E https://lists.apache.org/thread.html/r2e669797c1ea08562253239d2dc4192d951945e0c36cb0754f5394a6%40%3Cannounce.apache.org%3E https://lists.apache.org/thread.html/rac7e36c3daa60dd4b813f72942921b4fad71da821480ebcea96ecea1%40%3Cnotifications.ofbiz.apache.org%3E https://s.apache.org/chokl • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2016-4462
https://notcve.org/view.php?id=CVE-2016-4462
By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01 Manipulando el parámetro de URL externalLoginKey, un usuario conectado malicioso podría pasar directivas Freemarker válidas que están reflejadas en la página web al motor de plantillas. Se podría utilizar utilizar una plantilla Freemarker especialmente manipulada para ejecutar código remotamente. Mitigación: Actualizar a Apache OFBiz 16.11.01. • http://git.net/ml/dev.ofbiz.apache.org/2016-11/msg00180.html • CWE-20: Improper Input Validation •
CVE-2016-6800
https://notcve.org/view.php?id=CVE-2016-6800
The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs which are related to specific parties. In the form field for the creation of new blog articles the user input of the summary field as well as the article field is not properly sanitized. It is possible to inject arbitrary JavaScript code in these form fields. This code gets executed from the browser of every user who is visiting this article. • https://lists.apache.org/thread.html/28987cffe0237fa67eca9de8bbbc04a917ac8785342ad9e5a196c978%40%3Cuser.ofbiz.apache.org%3E https://s.apache.org/Owsz • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •