CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2019-0189
https://notcve.org/view.php?id=CVE-2019-0189
The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is passed to the "deserialize" method of "XmlSerializer". Apache Ofbiz is affected via two different dependencies: "commons-beanutils" and an out-dated version of "commons-fileupload" Mitigation: Upgrade to 16.11.06 or manually apply the commits from OFBIZ-10770 and OFBIZ-10837 on branch 16 Es conocido que java.io.ObjectInputStream causa problemas de serialización del Java. Este problema aquí está expuesto por la URL "webtools/control/httpService" y usa la deserialización de Java para llevar a cabo la ejecución del código. • https://lists.apache.org/thread.html/7316b4fa811e1ec27604cda3c30560e7389fc6b8c91996c9640fabb8%40%3Cnotifications.ofbiz.apache.org%3E https://lists.apache.org/thread.html/986ed5f1a0e209f87ed4a2d348ae5735054f9188912bb2fed7a5543f%40%3Cnotifications.ofbiz.apache.org%3E https://lists.apache.org/thread.html/r11fd9562dbdfc0be95e40518cbef70ab2565129f6f542a870ab82c69%40%3Cnotifications.ofbiz.apache.org%3E https://lists.apache.org/thread.html/r2c2db313ac9a43f1cfbd01092e4acb0b8bd38d90091889236ad827e7%40%3Cnotifications.ofbiz.apache.org%3E https://lists.apache.org/thread.html/r883840bbb4e2366acd0f6477e86b58400090 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17200
https://notcve.org/view.php?id=CVE-2018-17200
The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. This service takes the `serviceContent` parameter in the request and deserializes it using XStream. This `XStream` instance is slightly guarded by disabling the creation of `ProcessBuilder`. However, this can be easily bypassed (and in multiple ways). Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16 r1850017+1850019 El motor HTTP de Apache OFBiz (org.apache.ofbiz.service.engine.HttpEngine.java) maneja las peticiones de servicios HTTP por medio del end point /webtools/control/httpService. • https://lists.apache.org/thread.html/r034123f2767830169fd04c922afb22d2389de6e2faf3a083207202bc%40%3Ccommits.ofbiz.apache.org%3E https://lists.apache.org/thread.html/r8f01aab5dd92487c191599def3c950c643d7ad297c4db1d6722ea151%40%3Ccommits.ofbiz.apache.org%3E https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d%40%3Ccommits.ofbiz.apache.org%3E https://lists.apache.org/thread.html/rfafb229c0d805c8f2bd232d28cd1297876faf5c953f1d7bcf76eef4f%40%3Ccommits.ofbiz.apache.org%3E https://s.apache.org/m9boi •
CVSS: 7.5EPSS: 4%CPEs: 1EXPL: 1CVE-2018-8033
https://notcve.org/view.php?id=CVE-2018-8033
In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitation occurs by having DOCTYPEs pointing to external references that trigger a payload that returns secret information from the host. En Apache OFBiz, desde la versión 16.11.01 hasta la 16.11.04, el motor HTTP OFBiz (org.apache.ofbiz.service.engine.HttpEngine.java) gestiona las peticiones a servicios HTTP mediante el endpoint /webtools/control/httpService. Tanto las peticiones POST como las GET al endpoint httpService podrían contener 3 parámetros: serviceName, serviceMode y serviceContext. • https://github.com/Cappricio-Securities/CVE-2018-8033 https://lists.apache.org/thread.html/e8fb551e86e901932081f81ee9985bb72052b4d412f23d89b1282777%40%3Cuser.ofbiz.apache.org%3E • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 1CVE-2017-15714
https://notcve.org/view.php?id=CVE-2017-15714
The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed. This allows for code injection by passing that code through the URL. For example by appending this code "__format=%27;alert(%27xss%27)" to the URL an alert window would execute. El plugin BIRT en Apache OFBiz de la versión 16.11.01 a la 16.11.03 no escapa la propiedad de la entrada de usuario pasada. Esto permite que se inyecte código pasando ese código a través de una URL. • https://s.apache.org/UO3W • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 0CVE-2012-1622
https://notcve.org/view.php?id=CVE-2012-1622
Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors. Las versiones 10.04.x de Apache OFBiz anteriores a la 10.04.02 permiten que atacantes remotos ejecuten código arbitrario mediante vectores sin especificar. • http://mail-archives.apache.org/mod_mbox/ofbiz-user/201204.mbox/%3C4F378887-E697-44E7-976C-48B9B7475C4D%40apache.org%3E http://ofbiz.apache.org/download.html#security •