41 results (0.003 seconds)

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-23946 – Apache OFBiz: Path traversal or file inclusion

https://notcve.org/view.php?id=CVE-2024-23946

Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue. Posible path traversal en Apache OFBiz permitiendo la inclusión de archivos. Se recomienda a los usuarios actualizar a la versión 18.12.12, que soluciona el problema. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apache OFBiz. Authentication is not required to exploit this vulnerability. The specific flaw exists within the createRegister method. • http://www.openwall.com/lists/oss-security/2024/02/28/9 https://issues.apache.org/jira/browse/OFBIZ-12884 https://lists.apache.org/thread/w4lp5ncpzttf41hn5bsc04mzq4o6lw3g https://ofbiz.apache.org/download.html https://ofbiz.apache.org/release-notes-18.12.12.html https://ofbiz.apache.org/security.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 9.8EPSS: 69%CPEs: 1EXPL: 9

CVE-2023-51467 – Apache OFBiz: Pre-authentication Remote Code Execution (RCE) vulnerability

https://notcve.org/view.php?id=CVE-2023-51467

The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code La vulnerabilidad permite a los atacantes omitir la autenticación para lograr Server-Side Request Forgery (SSRF) simple. • https://github.com/Chocapikk/CVE-2023-51467 https://github.com/JaneMandy/CVE-2023-51467-Exploit https://github.com/JaneMandy/CVE-2023-51467 https://github.com/UserConnecting/Exploit-CVE-2023-49070-and-CVE-2023-51467-Apache-OFBiz https://github.com/K3ysTr0K3R/CVE-2023-51467-EXPLOIT https://github.com/tw0point/BadBizness-CVE-2023-51467 https://github.com/Praison001/Apache-OFBiz-Auth-Bypass-and-RCE-Exploit-CVE-2023-49070-CVE-2023-51467 https://github.com/AhmedMansour93/Event-ID-217-Rule-Name • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 7.5EPSS: 52%CPEs: 1EXPL: 0

CVE-2023-50968 – Apache OFBiz: Arbitrary file properties reading and SSRF attack

https://notcve.org/view.php?id=CVE-2023-50968

Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue. Vulnerabilidad de lectura de propiedades de archivos arbitrarias en Apache Software Foundation Apache OFBiz cuando el usuario realiza una llamada uri sin autorización. El mismo uri puede utilizarse para realizar un ataque SSRF también sin autorización. Se recomienda a los usuarios actualizar a la versión 18.12.11, que soluciona este problema. • http://www.openwall.com/lists/oss-security/2023/12/26/2 https://issues.apache.org/jira/browse/OFBIZ-12875 https://lists.apache.org/thread/x5now4bk3llwf3k58kl96qvtjyxwp43q https://ofbiz.apache.org/download.html https://ofbiz.apache.org/release-notes-18.12.11.html https://ofbiz.apache.org/security.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 9.8EPSS: 82%CPEs: 1EXPL: 4

CVE-2023-49070 – Pre-auth RCE in Apache Ofbiz 18.12.09 due to XML-RPC still present

https://notcve.org/view.php?id=CVE-2023-49070

Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10.  Users are recommended to upgrade to version 18.12.10 RCE de autorización previa en Apache Ofbiz 18.12.09. Se debe a que XML-RPC ya no se mantiene presente. Este problema afecta a Apache OFBiz: antes del 18.12.10. Se recomienda a los usuarios actualizar a la versión 18.12.10 Apache OFBiz version 18.12.09 suffers from a pre-authentication remote code execution vulnerability. • https://github.com/UserConnecting/Exploit-CVE-2023-49070-and-CVE-2023-51467-Apache-OFBiz https://github.com/0xrobiul/CVE-2023-49070 https://github.com/Praison001/Apache-OFBiz-Auth-Bypass-and-RCE-Exploit-CVE-2023-49070-CVE-2023-51467 https://github.com/abdoghazy2015/ofbiz-CVE-2023-49070-RCE-POC http://packetstormsecurity.com/files/176323/Apache-OFBiz-18.12.09-Remote-Code-Execution.html https://issues.apache.org/jira/browse/OFBIZ-12812 https://lists.apache.org/thread/jmbqk2lp4t4483whzndp5xqlq4f3otg3 https&# • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2023-46819 – Apache OFBiz: Execution of Solr plugin queries without authentication

https://notcve.org/view.php?id=CVE-2023-46819

Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin. This issue affects Apache OFBiz: before 18.12.09.  Users are recommended to upgrade to version 18.12.09 Falta autenticación en Apache Software Foundation Apache OFBiz cuando se usa el complemento Solr. Este problema afecta a Apache OFBiz: antes del 18.12.09. Se recomienda a los usuarios actualizar a la versión 18.12.09 • https://lists.apache.org/thread/mm5j0rsbl22q7yb0nmb6h2swbfjbwv99 https://ofbiz.apache.org/download.html https://ofbiz.apache.org/release-notes-18.12.09.html https://ofbiz.apache.org/security.html • CWE-306: Missing Authentication for Critical Function •