CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30676 – Apache OFBiz: Stored XSS Vulnerability
https://notcve.org/view.php?id=CVE-2025-30676
01 Apr 2025 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.19. Users are recommended to upgrade to version 18.12.19, which fixes the issue. • https://issues.apache.org/jira/browse/OFBIZ-13219 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26865 – Apache OFBiz: Server-Side Template Injection affecting the ecommerce plugin leading to possible RCE
https://notcve.org/view.php?id=CVE-2025-26865
10 Mar 2025 — Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18. It's a regression between 18.12.17 and 18.12.18. In case you use something like that, which is not recommended! For security, only official releases should be used. In other words, if you use 18.12.17 you are still safe. The version 18.12.17 is not a affected. But something between 18.12.17 and 18.12.18 is. • https://issues.apache.org/jira/browse/OFBIZ-12594 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47208 – Apache OFBiz: URLs allowing remote use of Groovy expressions, leading to RCE
https://notcve.org/view.php?id=CVE-2024-47208
18 Nov 2024 — Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue. • https://issues.apache.org/jira/browse/OFBIZ-13158 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48962 – Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE)
https://notcve.org/view.php?id=CVE-2024-48962
18 Nov 2024 — Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue. • https://issues.apache.org/jira/browse/OFBIZ-13162 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-352: Cross-Site Request Forgery (CSRF) CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 10.0EPSS: 94%CPEs: 1EXPL: 0CVE-2024-45195 – Apache OFBiz Forced Browsing Vulnerability
https://notcve.org/view.php?id=CVE-2024-45195
04 Sep 2024 — Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. Vulnerabilidad Direct Request ("Navegación forzada") en Apache OFBiz. Este problema afecta a Apache OFBiz: anterior a la versión 18.12.16. • https://issues.apache.org/jira/browse/OFBIZ-13130 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 10.0EPSS: 85%CPEs: 1EXPL: 1CVE-2024-45507 – Apache OFBiz: Prevent use of URLs in files when loading them from Java or Groovy, leading to a RCE
https://notcve.org/view.php?id=CVE-2024-45507
04 Sep 2024 — Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. Vulnerabilidad de Server-Side Request Forgery (SSRF) y control inadecuado de la generación de código ('inyección de código') en Apache OFBiz. Este problema afecta a Apache OFBiz: anterior a la versión 18.12.16. • https://github.com/Avento/CVE-2024-45507_Behinder_Webshell • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 94%CPEs: 1EXPL: 10CVE-2024-38856 – Apache OFBiz Incorrect Authorization Vulnerability
https://notcve.org/view.php?id=CVE-2024-38856
05 Aug 2024 — Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints). This vulnerability allows remote attackers to bypass authentication on affec... • https://github.com/codeb0ss/CVE-2024-38856-PoC • CWE-863: Incorrect Authorization •
CVSS: 9.1EPSS: 93%CPEs: 1EXPL: 1CVE-2024-36104 – Apache OFBiz: Path traversal leading to a RCE
https://notcve.org/view.php?id=CVE-2024-36104
04 Jun 2024 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue. Limitación inadecuada de una vulnerabilidad de nombre de ruta a un directorio restringido ("Path Traversal") en Apache OFBiz. Este problema afecta a Apache OFBiz: antes del 18.12.14. • https://github.com/ggfzx/CVE-2024-36104 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 94%CPEs: 1EXPL: 6CVE-2024-32113 – Apache OFBiz Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2024-32113
08 May 2024 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue. Limitación inadecuada de una vulnerabilidad de nombre de ruta a un directorio restringido ("Path Traversal") en Apache OFBiz. Este problema afecta a Apache OFBiz: antes del 18.12.13. Se recomienda a los usuarios actualizar a la versión 18.12.13, que soluciona el problema. • https://packetstorm.news/files/id/179138 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 1%CPEs: 1EXPL: 0CVE-2024-25065 – Apache OFBiz: Path traversal allowing authentication bypass.
https://notcve.org/view.php?id=CVE-2024-25065
28 Feb 2024 — Possible path traversal in Apache OFBiz allowing authentication bypass. Users are recommended to upgrade to version 18.12.12, that fixes the issue. Posible path traversal en Apache OFBiz que permite omitir la autenticación. Se recomienda a los usuarios actualizar a la versión 18.12.12, que soluciona el problema. Possible path traversal in Apache OFBiz allowing authentication bypass. Users are recommended to upgrade to version 18.12.12, that fixes the issue. • http://www.openwall.com/lists/oss-security/2024/02/28/10 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •