Lucene search
K
ApacheOfbiz

76 matches found

CVE
CVE
added 2024/02/28 3:42 p.m.3979 views

CVE-2024-25065

CVE-2024-25065 affects Apache OFBiz. A path traversal issue allows authentication bypass. The issue impacts OFBiz versions before 18.12.12. Upgrade to 18.12.12 (or later) to fix; multiple sources (NVD, Red Hat, PRIoN, OSV) corroborate the vulnerability and fix. If applying mitigations, ensure ver...

9.1CVSS9.4AI score0.47667EPSS
CVE
CVE
added 2021/03/22 12:0 p.m.332 views

CVE-2021-26295

Apache OFBiz contains an unsafe Java deserialization vulnerability in requests leading to remote takeover on versions prior to 17.12.06. Multiple sources (including MSF exploit for the SOAP endpoint prior to 17.12.06) describe PoCs/Exploits and DNS-log-based validation. Affected component is OFBi...

9.8CVSS9.5AI score0.97969EPSS
In wildWeb
CVE
CVE
added 2023/12/26 2:46 p.m.312 views

CVE-2023-51467

CVE-2023-51467 is a documented authentication bypass vulnerability in Apache OFBiz that can enable remote code execution. Multiple connected sources describe pre-authentication bypass paths and post-bypass impact, including potential SSRF or arbitrary code execution. Affected version notes appear...

9.8CVSS9.9AI score0.96001EPSS
In wild
CVE
CVE
added 2024/05/08 2:50 p.m.288 views

CVE-2024-32113

CVE-2024-32113 describes a path traversal vulnerability in Apache OFBiz (affected:

9.8CVSS9.6AI score0.99442EPSS
In wildWeb
CVE
CVE
added 2024/09/04 8:8 a.m.265 views

CVE-2024-45195

Apache OFBiz is affected by CVE-2024-45195: Direct Request (Forced Browsing) vulnerability that allows unauthenticated remote code execution in versions prior to 18.12.16. The issue arises from missing view authorization checks, enabling an attacker with no credentials to execute arbitrary code o...

9.8CVSS8.6AI score0.99983EPSS
In wild
CVE
CVE
added 2023/12/05 8:5 a.m.232 views

CVE-2023-49070

CVE-2023-49070 is a pre-auth RCE in Apache OFBiz up to version 18.12.09, caused by an unused XML-RPC component that remains present. Affected product: Apache OFBiz before 18.12.10 (and related CVE-2023-51467 authentication-bypass vector). The severity is high (CVSS v3.1 base score 9.8) with netwo...

9.8CVSS9.5AI score0.95442EPSS
In wildWeb
CVE
CVE
added 2024/08/05 8:20 a.m.204 views

CVE-2024-38856

CVE-2024-38856 is a pre-authentication remote code execution vulnerability in Apache OFBiz (affected: versions before 18.12.15). The issue arises from an Incorrect Authorization flaw where unauthenticated endpoints can render screens or run code, depending on endpoint configuration and missing ex...

9.8CVSS6.8AI score0.99427EPSS
In wild
CVE
CVE
added 2020/07/15 3:39 p.m.197 views

CVE-2020-9496

CVE-2020-9496 affects Apache OFBiz 17.12.x. The vulnerability stems from unsafe deserialization in the XML-RPC endpoint (/webtools/control/xmlrpc), enabling cross-site scripting and remote code execution via crafted XML-RPC requests. Affected version shown in sources includes 17.12.01 (and later ...

6.1CVSS6.1AI score0.98926EPSS
Web
CVE
CVE
added 2024/06/04 7:25 a.m.176 views

CVE-2024-36104

CVE-2024-36104 is a path traversal vulnerability in Apache OFBiz prior to 18.12.14 that can lead to remote code execution. The connected documents confirm the affected product (Apache OFBiz), vulnerable component/path handling, and the root cause is improper restriction of a pathname to a restric...

9.1CVSS9.4AI score0.87883EPSS
In wildWeb
CVE
CVE
added 2021/04/27 7:50 p.m.154 views

CVE-2021-30128

Apache OFBiz

10CVSS9.5AI score0.81079EPSS
In wild
CVE
CVE
added 2024/02/28 3:44 p.m.147 views

CVE-2024-23946

The CVE-2024-23946 issue is a path traversal/file inclusion vulnerability in Apache OFBiz. Affected product: Apache OFBiz prior to 18.12.12. Root cause: incorrect handling of file paths allowing access to files outside the web root. Impact: potential disclosure of sensitive files/directories; det...

5.3CVSS5.3AI score0.03146EPSS
CVE
CVE
added 2021/04/27 7:50 p.m.142 views

CVE-2021-29200

Apache OFBiz prior to 17.12.07 is affected by CVE-2021-29200 due to unsafe Java deserialization, enabling unauthenticated remote code execution. The vulnerability arises from processing serialized objects (deserialization) and can be exploited to execute arbitrary code on the server. Expected imp...

9.8CVSS9.6AI score0.5537EPSS
CVE
CVE
added 2024/09/04 8:8 a.m.126 views

CVE-2024-45507

CVE-2024-45507 affects Apache OFBiz versions before 18.12.16. The issue combines Server-Side Request Forgery (SSRF) and Code Injection due to missing view authorization, enabling unauthenticated remote code execution on affected servers. Mitigation: upgrade to OFBiz 18.12.16 or later. No explicit...

9.8CVSS9.7AI score0.93243EPSS
In wild
CVE
CVE
added 2023/04/14 3:1 p.m.118 views

CVE-2022-47501

CVE-2022-47501 affects Apache OFBiz versions before 18.12.07. It is an arbitrary/ local file reading vulnerability via the Solr plugin, described as a pre-authentication (unauthenticated) attack. The issue allows reading arbitrary server filesystem files through the Solr plugin debug endpoint, po...

7.5CVSS7.5AI score0.1018EPSS
CVE
CVE
added 2025/03/10 2:1 p.m.116 views

CVE-2025-26865

CVE-2025-26865 affects Apache OFBiz 18.12.17 through 18.12.18, due to improper neutralization of special elements in the template engine. It's a regression between 18.12.17 (safe) and 18.12.18 (patched). Affected component is the template engine in OFBiz; Red Hat, CNVD, OSV, NVD, and CVE lists de...

3.5CVSS7.1AI score0.00623EPSS
CVE
CVE
added 2023/12/26 11:45 a.m.108 views

CVE-2023-50968

Apache OFBiz

7.5CVSS7.5AI score0.63373EPSS
In wild
CVE
CVE
added 2019/11/26 12:7 a.m.98 views

CVE-2011-3600

CVE-2011-3600 affects Apache OFBiz: the /webtools/control/xmlrpc endpoint in the OFBiz XML-RPC handler is vulnerable to External Entity Injection through DOCTYPE declarations, enabling disclosure of filesystem contents and allowing port probe and existence checks via error messages. Affected vers...

7.5CVSS7.5AI score0.1591EPSS
In wildWeb
CVE
CVE
added 2022/09/02 7:10 a.m.95 views

CVE-2022-25371

CVE-2022-25371 involves Apache OFBiz with the Birt plugin. A bug in Birt (Eclipse bug 538142) enables a remote code execution (RCE) attack in OFBiz 18.12.05 and earlier. The connected Red Hat/NVD entries confirm the RCE impact and affected version range. No details on a fixed/version upgrade are ...

9.8CVSS9.8AI score0.04059EPSS
CVE
CVE
added 2021/08/18 7:50 a.m.89 views

CVE-2021-37608

CVE-2021-37608 affects Apache OFBiz up to and including 17.12.07; it is caused by Unrestricted Upload of File with Dangerous Type, enabling remote command execution. The advisory calls for upgrading to at least 17.12.08 or applying the OFBIZ-12297 patch. Connected sources confirm the vulnerabilit...

9.8CVSS9.6AI score0.0603EPSS
CVE
CVE
added 2020/04/30 7:22 p.m.86 views

CVE-2019-0235

CVE-2019-0235 affects Apache OFBiz. Connected sources detail a Cross-Site Request Forgery vulnerability in OFBiz 17.12.01 (and related 17.12.x releases) where forged requests can perform unauthorized actions (e.g., via endpoints like updateEmailAddress). The core issue is CSRF protection weakness...

8.8CVSS8.6AI score0.32747EPSS
Web
CVE
CVE
added 2022/09/02 7:10 a.m.84 views

CVE-2022-25813

Apache OFBiz CVE-2022-25813 affects versions 18.12.05 and earlier. An anonymous user can inject malicious content into the Subject field of the ecommerce plugin’s Contact us page, triggering a Server-Side Template Injection (SSTI) when a party manager lists communications, potentially enabling Re...

7.5CVSS7.4AI score0.67261EPSS
CVE
CVE
added 2018/12/13 2:0 p.m.83 views

CVE-2018-8033

CVE-2018-8033 affects Apache OFBiz 16.11.01–16.11.04. The vulnerability lies in the OFBiz HTTP engine at /webtools/control/httpService, where POST/GET requests may include serviceName, serviceMode, and serviceContext. Exploitation is achieved via DOCTYPEs referencing external entities, triggering...

7.5CVSS7.4AI score0.25743EPSS
Web
CVE
CVE
added 2014/06/19 2:0 p.m.76 views

CVE-2012-1621

Apache OFBiz 10.04.x prior to 10.04.02 is affected by multiple XSS vulnerabilities. The issues arise from improper handling of user input in error messages and in requests using (1) parameter arrays in freemarker templates, (2) contentId, and (3) mapKey in cms events, plus (4) ajax inputs to getS...

4.3CVSS5.9AI score0.09795EPSS
CVE
CVE
added 2020/04/01 6:18 p.m.76 views

CVE-2020-1943

CVE-2020-1943 affects Apache OFBiz 16.11.01–16.11.07. The vulnerability is a cross-site scripting flaw caused by unsanitized data sent with the contentId parameter to the /control/stream endpoint. Impact, as reported, is execution of malicious scripts in the victim’s browser (potential session-re...

6.1CVSS5.9AI score0.97309EPSS
In wildWeb
CVE
CVE
added 2022/09/02 7:10 a.m.76 views

CVE-2022-29158

CVE-2022-29158 affects Apache OFBiz up to version 18.12.05. The issue is a Regular Expression Denial of Service (ReDoS) in how OFBiz handles URLs provided by external, unauthenticated users. Several trusted sources in the connected set corroborate this vulnerability and the remediation: upgrade t...

7.5CVSS7.6AI score0.0175EPSS
CVE
CVE
added 2023/11/07 11:2 a.m.75 views

CVE-2023-46819

Apache OFBiz contains a Missing Authentication flaw in the Solr plugin (CVE-2023-46819). Affected versions are before 18.12.09. The root cause is unauthorized access to Solr plugin queries, enabling potential modification/exfiltration of protected data. The recommended remediation is upgrading to...

5.3CVSS5.3AI score0.01793EPSS
CVE
CVE
added 2024/11/18 8:43 a.m.75 views

CVE-2024-47208

CVE-2024-47208 affects Apache OFBiz prior to 18.12.17. The issue is a Server-Side Request Forgery (SSRF) with improper control of code generation (code injection) that could enable an attacker to access intranet resources. Affected component/flow details are not explicitly enumerated beyond the v...

9.8CVSS9.7AI score0.01609EPSS
CVE
CVE
added 2022/09/02 7:10 a.m.73 views

CVE-2022-29063

CVE-2022-29063 affects the Solr plugin in Apache OFBiz. By default it issues a RMI request to localhost:1099; versions 18.12.05 and earlier are vulnerable if an attacker runs a malicious RMI server on localhost, allowing arbitrary code execution at server start-up or on restart. A fix is availabl...

9.8CVSS9.6AI score0.03716EPSS
CVE
CVE
added 2024/11/18 8:41 a.m.73 views

CVE-2024-48962

CVE-2024-48962 affects Apache OFBiz versions before 18.12.17. The issue combines improper generation of code (code injection) with CSRF, arising from improper neutralization of certain template elements. This can enable unauthorized actions or code execution within vulnerable OFBiz deployments. T...

8.9CVSS6.7AI score0.00613EPSS
CVE
CVE
added 2019/09/11 8:29 p.m.72 views

CVE-2019-0189

The CVE-2019-0189 issue affects Apache OFBiz via two dependencies (commons-beanutils and an outdated commons-fileupload). It uses Java deserialization in the HttpEngine: the request parameter serviceContext is passed to XmlSerializer.deserialize, enabling remote code execution through java.io.Obj...

9.8CVSS9.7AI score0.2371EPSS
Web
CVE
CVE
added 2025/04/01 2:43 p.m.72 views

CVE-2025-30676

The CVE-2025-30676 entry describes an XSS vulnerability in Apache OFBiz due to improper neutralization of script-related HTML tags in a web page. Affected releases are Apache OFBiz before 18.12.19 . Root cause: lack of proper filtering/escaping of user-supplied data, enabling injection of crafted...

6.1CVSS6.9AI score0.65347EPSS
CVE
CVE
added 2016/04/12 2:0 p.m.71 views

CVE-2015-3268

Apache OFBiz is affected by an XSS in DisplayEntityField.getDescription (ModelFormField.java). The vulnerability allows remote attackers to inject arbitrary script/HTML via the description attribute of a display-entity element. Affected versions: OFBiz before 12.04.06 and 13.07.x before 13.07.03....

6.1CVSS6AI score0.09184EPSS
CVE
CVE
added 2010/04/15 5:0 p.m.68 views

CVE-2010-0432

CVE-2010-0432 describes multiple cross-site scripting (XSS) vulnerabilities in Apache OFBiz (OFBiz) 9.04 and earlier, including reflected and stored XSS in various parameters (productStoreId, partyId, start, invalid URIs, contentId, entityName, subject/content). Root cause: inputs are not properl...

4.3CVSS5.6AI score0.22941EPSS
Web
CVE
CVE
added 2013/08/15 4:0 p.m.67 views

CVE-2013-2250

Apache OFBiz is affected by CVE-2013-2250 due to improper validation of parameters containing JUEL metacharacters, allowing a remote attacker to trigger nested UEL expressions and execute arbitrary UEL functions. Impact is remote code execution with unauthenticated access. Affected versions: OFBi...

10CVSS7.6AI score0.12138EPSS
CVE
CVE
added 2017/08/30 5:0 p.m.66 views

CVE-2016-4462

CVE-2016-4462 concerns Apache OFBiz. A logged-in user can manipulate the externalLoginKey URL parameter to feed the Freemarker Template Engine with directives reflected on the page, enabling remote code execution via a specially crafted Freemarker template. Mitigation: upgrade to Apache OFBiz 16....

8.8CVSS8.8AI score0.03802EPSS
CVE
CVE
added 2022/09/02 7:10 a.m.66 views

CVE-2022-25370

Summary: CVE-2022-25370 affects Apache OFBiz versions 18.12.05 and earlier, due to a vulnerability in the Birt plugin (Birt issue 538142) that enables an unauthenticated stored XSS attack. The attack can inject and execute a payload via the stored XSS vector. Affected software/component: Apache O...

5.4CVSS5.3AI score0.02009EPSS
CVE
CVE
added 2017/10/26 8:0 p.m.63 views

CVE-2012-1622

CVE-2012-1622 affects Apache OFBiz 10.04.x before 10.04.02 and allows remote attackers to execute arbitrary code via unspecified vectors. The vulnerability is described as a remote code execution issue with high impact (network access, no auth required; exploits possible without user interaction)...

9.8CVSS9.7AI score0.05004EPSS
CVE
CVE
added 2006/12/15 7:0 p.m.62 views

CVE-2006-6587

CVE-2006-6587 is a Cross‑Site Scripting (XSS) flaw in the Apache OFBiz Open For Business (OFBiz) ecommerce forum component. The vulnerability allows remote attackers to inject arbitrary script or HTML by posting a message, targeting the forum implementation. The connected OpenVAS entry notes OFBi...

6.8CVSS5.6AI score0.07553EPSS
CVE
CVE
added 2018/01/04 3:0 p.m.61 views

CVE-2017-15714

The CVE-2017-15714 issue affects the BIRT plugin in Apache OFBiz versions 16.11.01 through 16.11.03. The root cause is that the plugin does not escape user input properties passed via the URL, enabling code injection when crafted input is supplied (e.g., a URL containing __format=%27;alert(%27xss...

9.8CVSS9.5AI score0.03292EPSS
CVE
CVE
added 2013/08/15 4:0 p.m.60 views

CVE-2013-2137

CVE-2013-2137 describes an XSS vulnerability in the Webtools "View Log" screen of Apache OFBiz. Affected: OFBiz Webtools View Log in versions 10.04.01–10.04.05, 11.04.01–11.04.02, and 12.04.01. Root cause: log HTML content not properly encoded. Impact: remote attackers can inject arbitrary script...

4.3CVSS5.8AI score0.07698EPSS
CVE
CVE
added 2006/12/15 7:0 p.m.59 views

CVE-2006-6588

CVE-2006-6588 affects the Apache OFBiz OFBiz forum component, where the forum implementation trusts certain hidden form fields (dataResourceTypeId and contentTypeId) to process content. This trust allows remote attackers to create unauthorized content types, modify content, or cause other unknown...

7.5CVSS7.1AI score0.02128EPSS
CVE
CVE
added 2014/01/30 3:0 p.m.59 views

CVE-2013-0177

Apache OFBiz (Open For Business) is affected by multiple XSS vulnerabilities in widget/screen/ModelScreenWidget.java, affecting OFBiz 10.04.x before 10.04.05 and 11.04.01 (possibly 09.04.x). The issue allows remote authenticated users to inject arbitrary script/HTML through the Screenlet.title or...

3.5CVSS5.6AI score0.2123EPSS
Web
CVE
CVE
added 2016/04/12 2:0 p.m.59 views

CVE-2016-2170

CVE-2016-2170 affects Apache OFBiz where an insecure Java deserialization flaw (via the Apache Commons Collections usage) allows remote execution of arbitrary commands. Affected versions: OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03. Exploitation relies on crafting a serialized Java ...

9.8CVSS9.7AI score0.12683EPSS
CVE
CVE
added 2017/08/30 5:0 p.m.59 views

CVE-2016-6800

CVE-2016-6800 affects the Apache OFBiz blog feature: unsanitized input in the summary/article fields allows injection of arbitrary JavaScript, which is executed in users’ browsers visiting the article. Mitigation is to upgrade to Apache OFBiz 16.11.01. This vulnerability detail is supported by th...

6.1CVSS6.3AI score0.03112EPSS
CVE
CVE
added 2014/08/22 2:0 p.m.58 views

CVE-2014-0232

This CVE affects Apache OFBiz: XSS vulnerabilities exist in the template messages.ftl (framework/common/webcommon/includes/messages.ftl). Affected versions are OFBiz 11.04.01 up to but not including 11.04.05, and 12.04.01 up to but not including 12.04.04. The issue allows remote attackers to inje...

4.3CVSS5.9AI score0.08194EPSS
CVE
CVE
added 2020/02/06 4:47 p.m.58 views

CVE-2019-12426

CVE-2019-12426 affects Apache OFBiz versions 16.11.01 through 16.11.06. An unauthenticated actor could access information on certain backend screens by invoking setSessionLocale, leading to information disclosure. The available connected sources corroborate unauthenticated information exposure in...

5.3CVSS5.2AI score0.04889EPSS
CVE
CVE
added 2021/08/30 2:7 p.m.57 views

CVE-2021-25958

Summary: CVE-2021-25958 affects Apache OFBiz (versions 17.12.01–17.12.07). The issue arises from a try/catch error handling path that leaks sensitive table information in error messages, aiding attacker reconnaissance. The vulnerability is triggered during normal login attempts after a user regis...

7.5CVSS6.8AI score0.02639EPSS
CVE
CVE
added 2006/12/15 7:0 p.m.56 views

CVE-2006-6589

The CVE-2006-6589 entry tracks a cross-site scripting (XSS) vulnerability affecting the ecommerce/control/keywordsearch path in Apache OFBiz and Opentaps 0.9.3, enabling remote injection of script/HTML via the SEARCH_STRING parameter. Connected OpenVAS data confirms HTML injection issues for Open...

6.8CVSS5.6AI score0.02664EPSS
Web
CVE
CVE
added 2020/04/30 7:20 p.m.54 views

CVE-2019-12425

CVE-2019-12425 affects Apache OFBiz 17.12.01 and is described as a Host header injection vulnerability caused by accepting arbitrary Host headers. This is documented across multiple sources (e.g., NVD entry and Red Hat, CNVD, OSV, CVE lists) with the consistent description that OFBiz 17.12.01 is ...

7.5CVSS7.6AI score0.04665EPSS
CVE
CVE
added 2019/09/11 8:38 p.m.53 views

CVE-2019-10074

CVE-2019-10074 affects Apache OFBiz where Freemarker markup in a Form Widget textarea can trigger remote code execution if encoding is disabled on that field (notably in the Customer Request “story” input of Order Manager). Root cause: disabling encoding on a user input field allows untrusted mar...

9.8CVSS9.3AI score0.03394EPSS
Total number of security vulnerabilities76