CVSS: 9.8EPSS: 90%CPEs: 1EXPL: 1CVE-2021-29200 – RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI
https://notcve.org/view.php?id=CVE-2021-29200
Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack Apache OFBiz, presenta deserialización no segura anteriores a versión 17.12.07. Un usuario no autenticado puede llevar a cabo un ataque RCE • https://github.com/freeide/CVE-2021-29200 http://www.openwall.com/lists/oss-security/2021/04/27/4 https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3E https://lists.apache.org/thread.html/r708351f1a8af7adb887cc3d8a92bed8fcbff4a9e495e69a9ee546fda%40%3Cnotifications.ofbiz.apache.org%3E https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d%40%3Ccommits.ofbiz.apache.org%3E https://lists.apache.org/thread.html/re21d25d9fb89e36cea910633779c23f144b9b60596b113 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 97%CPEs: 1EXPL: 5CVE-2021-26295 – RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI
https://notcve.org/view.php?id=CVE-2021-26295
Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz. Apache OFBiz, presenta una deserialización no segura versiones anteriores a 17.12.06. Un atacante no autenticado puede usar esta vulnerabilidad para apoderarse con éxito de Apache OFBiz • https://github.com/yumusb/CVE-2021-26295 https://github.com/dskho/CVE-2021-26295 https://github.com/rakjong/CVE-2021-26295-Apache-OFBiz https://github.com/coolyin001/CVE-2021-26295-- http://packetstormsecurity.com/files/162104/Apache-OFBiz-SOAP-Java-Deserialization.html https://lists.apache.org/thread.html/r078351a876ed284ba667b33aba29428d7308a5bd4df78f14a3df6661%40%3Cnotifications.ofbiz.apache.org%3E https://lists.apache.org/thread.html/r0d97a3b7a14777b9e9e085b483629d2774343c4723236d1c73f43ff0%40%3Cdev.ofbiz.apache.org%3E https: • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 89%CPEs: 1EXPL: 12CVE-2020-9496 – ApacheOfBiz 17.12.01 - Remote Command Execution (RCE)
https://notcve.org/view.php?id=CVE-2020-9496
XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03 La petición de XML-RPC es vulnerable a problemas de deserialización no segura y Cross-Site Scripting en Apache OFBiz versión 17.12.03 • https://www.exploit-db.com/exploits/50178 https://github.com/dwisiswant0/CVE-2020-9496 https://github.com/g33xter/CVE-2020-9496 https://github.com/s4dbrd/CVE-2020-9496 https://github.com/Ly0nt4r/CVE-2020-9496 https://github.com/cyber-niz/CVE-2020-9496 https://github.com/ambalabanov/CVE-2020-9496 https://github.com/birdlinux/CVE-2020-9496 https://github.com/Vulnmachines/apache-ofbiz-CVE-2020-9496 http://packetstormsecurity.com/files/158887/Apache-OFBiz-XML-RPC-Java-Deseri • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-502: Deserialization of Untrusted Data •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-13923
https://notcve.org/view.php?id=CVE-2020-13923
IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04 Vulnerabilidad de IDOR en la funcionalidad order processing del componente ecommerce de Apache OFBiz versiones anteriores a 17.12.04 • https://lists.apache.org/thread.html/r0a0a701610b3bcdf14634047313adab3f1628bb9aa55cf29cd262ef5%40%3Ccommits.ofbiz.apache.org%3E https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3E https://lists.apache.org/thread.html/r2e669797c1ea08562253239d2dc4192d951945e0c36cb0754f5394a6%40%3Cannounce.apache.org%3E https://lists.apache.org/thread.html/rac7e36c3daa60dd4b813f72942921b4fad71da821480ebcea96ecea1%40%3Cnotifications.ofbiz.apache.org%3E https://s.apache.org/chokl • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 2CVE-2019-0235 – Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover)
https://notcve.org/view.php?id=CVE-2019-0235
Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks. Apache OFBiz versión 17.12.01, es vulnerable a algunos ataques de tipo CSRF. Apache OFBiz version 17.12.03 suffers from a cross site request forgery vulnerability. • https://www.exploit-db.com/exploits/48408 http://packetstormsecurity.com/files/157514/Apache-OFBiz-17.12.03-Cross-Site-Request-Forgery.html https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E https://lists.apache.org/thread.html/r392206f7cd131f0fc3f7c60a767ced93ced00411d55c1777c219c956%40%3Cnotifications.ofbiz.apache.org%3E https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E https://lists.apache.org/thread.html/r9eeb6c41d • CWE-352: Cross-Site Request Forgery (CSRF) •