76 matches found
CVE-2024-25065
CVE-2024-25065 affects Apache OFBiz. A path traversal issue allows authentication bypass. The issue impacts OFBiz versions before 18.12.12. Upgrade to 18.12.12 (or later) to fix; multiple sources (NVD, Red Hat, PRIoN, OSV) corroborate the vulnerability and fix. If applying mitigations, ensure ver...
CVE-2021-26295
Apache OFBiz contains an unsafe Java deserialization vulnerability in requests leading to remote takeover on versions prior to 17.12.06. Multiple sources (including MSF exploit for the SOAP endpoint prior to 17.12.06) describe PoCs/Exploits and DNS-log-based validation. Affected component is OFBi...
CVE-2023-51467
CVE-2023-51467 is a documented authentication bypass vulnerability in Apache OFBiz that can enable remote code execution. Multiple connected sources describe pre-authentication bypass paths and post-bypass impact, including potential SSRF or arbitrary code execution. Affected version notes appear...
CVE-2024-32113
CVE-2024-32113 describes a path traversal vulnerability in Apache OFBiz (affected:
CVE-2024-45195
Apache OFBiz is affected by CVE-2024-45195: Direct Request (Forced Browsing) vulnerability that allows unauthenticated remote code execution in versions prior to 18.12.16. The issue arises from missing view authorization checks, enabling an attacker with no credentials to execute arbitrary code o...
CVE-2023-49070
CVE-2023-49070 is a pre-auth RCE in Apache OFBiz up to version 18.12.09, caused by an unused XML-RPC component that remains present. Affected product: Apache OFBiz before 18.12.10 (and related CVE-2023-51467 authentication-bypass vector). The severity is high (CVSS v3.1 base score 9.8) with netwo...
CVE-2024-38856
CVE-2024-38856 is a pre-authentication remote code execution vulnerability in Apache OFBiz (affected: versions before 18.12.15). The issue arises from an Incorrect Authorization flaw where unauthenticated endpoints can render screens or run code, depending on endpoint configuration and missing ex...
CVE-2020-9496
CVE-2020-9496 affects Apache OFBiz 17.12.x. The vulnerability stems from unsafe deserialization in the XML-RPC endpoint (/webtools/control/xmlrpc), enabling cross-site scripting and remote code execution via crafted XML-RPC requests. Affected version shown in sources includes 17.12.01 (and later ...
CVE-2024-36104
CVE-2024-36104 is a path traversal vulnerability in Apache OFBiz prior to 18.12.14 that can lead to remote code execution. The connected documents confirm the affected product (Apache OFBiz), vulnerable component/path handling, and the root cause is improper restriction of a pathname to a restric...
CVE-2021-30128
Apache OFBiz
CVE-2024-23946
The CVE-2024-23946 issue is a path traversal/file inclusion vulnerability in Apache OFBiz. Affected product: Apache OFBiz prior to 18.12.12. Root cause: incorrect handling of file paths allowing access to files outside the web root. Impact: potential disclosure of sensitive files/directories; det...
CVE-2021-29200
Apache OFBiz prior to 17.12.07 is affected by CVE-2021-29200 due to unsafe Java deserialization, enabling unauthenticated remote code execution. The vulnerability arises from processing serialized objects (deserialization) and can be exploited to execute arbitrary code on the server. Expected imp...
CVE-2024-45507
CVE-2024-45507 affects Apache OFBiz versions before 18.12.16. The issue combines Server-Side Request Forgery (SSRF) and Code Injection due to missing view authorization, enabling unauthenticated remote code execution on affected servers. Mitigation: upgrade to OFBiz 18.12.16 or later. No explicit...
CVE-2022-47501
CVE-2022-47501 affects Apache OFBiz versions before 18.12.07. It is an arbitrary/ local file reading vulnerability via the Solr plugin, described as a pre-authentication (unauthenticated) attack. The issue allows reading arbitrary server filesystem files through the Solr plugin debug endpoint, po...
CVE-2025-26865
CVE-2025-26865 affects Apache OFBiz 18.12.17 through 18.12.18, due to improper neutralization of special elements in the template engine. It's a regression between 18.12.17 (safe) and 18.12.18 (patched). Affected component is the template engine in OFBiz; Red Hat, CNVD, OSV, NVD, and CVE lists de...
CVE-2023-50968
Apache OFBiz
CVE-2011-3600
CVE-2011-3600 affects Apache OFBiz: the /webtools/control/xmlrpc endpoint in the OFBiz XML-RPC handler is vulnerable to External Entity Injection through DOCTYPE declarations, enabling disclosure of filesystem contents and allowing port probe and existence checks via error messages. Affected vers...
CVE-2022-25371
CVE-2022-25371 involves Apache OFBiz with the Birt plugin. A bug in Birt (Eclipse bug 538142) enables a remote code execution (RCE) attack in OFBiz 18.12.05 and earlier. The connected Red Hat/NVD entries confirm the RCE impact and affected version range. No details on a fixed/version upgrade are ...
CVE-2021-37608
CVE-2021-37608 affects Apache OFBiz up to and including 17.12.07; it is caused by Unrestricted Upload of File with Dangerous Type, enabling remote command execution. The advisory calls for upgrading to at least 17.12.08 or applying the OFBIZ-12297 patch. Connected sources confirm the vulnerabilit...
CVE-2019-0235
CVE-2019-0235 affects Apache OFBiz. Connected sources detail a Cross-Site Request Forgery vulnerability in OFBiz 17.12.01 (and related 17.12.x releases) where forged requests can perform unauthorized actions (e.g., via endpoints like updateEmailAddress). The core issue is CSRF protection weakness...
CVE-2022-25813
Apache OFBiz CVE-2022-25813 affects versions 18.12.05 and earlier. An anonymous user can inject malicious content into the Subject field of the ecommerce plugin’s Contact us page, triggering a Server-Side Template Injection (SSTI) when a party manager lists communications, potentially enabling Re...
CVE-2018-8033
CVE-2018-8033 affects Apache OFBiz 16.11.01–16.11.04. The vulnerability lies in the OFBiz HTTP engine at /webtools/control/httpService, where POST/GET requests may include serviceName, serviceMode, and serviceContext. Exploitation is achieved via DOCTYPEs referencing external entities, triggering...
CVE-2012-1621
Apache OFBiz 10.04.x prior to 10.04.02 is affected by multiple XSS vulnerabilities. The issues arise from improper handling of user input in error messages and in requests using (1) parameter arrays in freemarker templates, (2) contentId, and (3) mapKey in cms events, plus (4) ajax inputs to getS...
CVE-2020-1943
CVE-2020-1943 affects Apache OFBiz 16.11.01–16.11.07. The vulnerability is a cross-site scripting flaw caused by unsanitized data sent with the contentId parameter to the /control/stream endpoint. Impact, as reported, is execution of malicious scripts in the victim’s browser (potential session-re...
CVE-2022-29158
CVE-2022-29158 affects Apache OFBiz up to version 18.12.05. The issue is a Regular Expression Denial of Service (ReDoS) in how OFBiz handles URLs provided by external, unauthenticated users. Several trusted sources in the connected set corroborate this vulnerability and the remediation: upgrade t...
CVE-2023-46819
Apache OFBiz contains a Missing Authentication flaw in the Solr plugin (CVE-2023-46819). Affected versions are before 18.12.09. The root cause is unauthorized access to Solr plugin queries, enabling potential modification/exfiltration of protected data. The recommended remediation is upgrading to...
CVE-2024-47208
CVE-2024-47208 affects Apache OFBiz prior to 18.12.17. The issue is a Server-Side Request Forgery (SSRF) with improper control of code generation (code injection) that could enable an attacker to access intranet resources. Affected component/flow details are not explicitly enumerated beyond the v...
CVE-2022-29063
CVE-2022-29063 affects the Solr plugin in Apache OFBiz. By default it issues a RMI request to localhost:1099; versions 18.12.05 and earlier are vulnerable if an attacker runs a malicious RMI server on localhost, allowing arbitrary code execution at server start-up or on restart. A fix is availabl...
CVE-2024-48962
CVE-2024-48962 affects Apache OFBiz versions before 18.12.17. The issue combines improper generation of code (code injection) with CSRF, arising from improper neutralization of certain template elements. This can enable unauthorized actions or code execution within vulnerable OFBiz deployments. T...
CVE-2019-0189
The CVE-2019-0189 issue affects Apache OFBiz via two dependencies (commons-beanutils and an outdated commons-fileupload). It uses Java deserialization in the HttpEngine: the request parameter serviceContext is passed to XmlSerializer.deserialize, enabling remote code execution through java.io.Obj...
CVE-2025-30676
The CVE-2025-30676 entry describes an XSS vulnerability in Apache OFBiz due to improper neutralization of script-related HTML tags in a web page. Affected releases are Apache OFBiz before 18.12.19 . Root cause: lack of proper filtering/escaping of user-supplied data, enabling injection of crafted...
CVE-2015-3268
Apache OFBiz is affected by an XSS in DisplayEntityField.getDescription (ModelFormField.java). The vulnerability allows remote attackers to inject arbitrary script/HTML via the description attribute of a display-entity element. Affected versions: OFBiz before 12.04.06 and 13.07.x before 13.07.03....
CVE-2010-0432
CVE-2010-0432 describes multiple cross-site scripting (XSS) vulnerabilities in Apache OFBiz (OFBiz) 9.04 and earlier, including reflected and stored XSS in various parameters (productStoreId, partyId, start, invalid URIs, contentId, entityName, subject/content). Root cause: inputs are not properl...
CVE-2013-2250
Apache OFBiz is affected by CVE-2013-2250 due to improper validation of parameters containing JUEL metacharacters, allowing a remote attacker to trigger nested UEL expressions and execute arbitrary UEL functions. Impact is remote code execution with unauthenticated access. Affected versions: OFBi...
CVE-2016-4462
CVE-2016-4462 concerns Apache OFBiz. A logged-in user can manipulate the externalLoginKey URL parameter to feed the Freemarker Template Engine with directives reflected on the page, enabling remote code execution via a specially crafted Freemarker template. Mitigation: upgrade to Apache OFBiz 16....
CVE-2022-25370
Summary: CVE-2022-25370 affects Apache OFBiz versions 18.12.05 and earlier, due to a vulnerability in the Birt plugin (Birt issue 538142) that enables an unauthenticated stored XSS attack. The attack can inject and execute a payload via the stored XSS vector. Affected software/component: Apache O...
CVE-2012-1622
CVE-2012-1622 affects Apache OFBiz 10.04.x before 10.04.02 and allows remote attackers to execute arbitrary code via unspecified vectors. The vulnerability is described as a remote code execution issue with high impact (network access, no auth required; exploits possible without user interaction)...
CVE-2006-6587
CVE-2006-6587 is a Cross‑Site Scripting (XSS) flaw in the Apache OFBiz Open For Business (OFBiz) ecommerce forum component. The vulnerability allows remote attackers to inject arbitrary script or HTML by posting a message, targeting the forum implementation. The connected OpenVAS entry notes OFBi...
CVE-2017-15714
The CVE-2017-15714 issue affects the BIRT plugin in Apache OFBiz versions 16.11.01 through 16.11.03. The root cause is that the plugin does not escape user input properties passed via the URL, enabling code injection when crafted input is supplied (e.g., a URL containing __format=%27;alert(%27xss...
CVE-2013-2137
CVE-2013-2137 describes an XSS vulnerability in the Webtools "View Log" screen of Apache OFBiz. Affected: OFBiz Webtools View Log in versions 10.04.01–10.04.05, 11.04.01–11.04.02, and 12.04.01. Root cause: log HTML content not properly encoded. Impact: remote attackers can inject arbitrary script...
CVE-2006-6588
CVE-2006-6588 affects the Apache OFBiz OFBiz forum component, where the forum implementation trusts certain hidden form fields (dataResourceTypeId and contentTypeId) to process content. This trust allows remote attackers to create unauthorized content types, modify content, or cause other unknown...
CVE-2013-0177
Apache OFBiz (Open For Business) is affected by multiple XSS vulnerabilities in widget/screen/ModelScreenWidget.java, affecting OFBiz 10.04.x before 10.04.05 and 11.04.01 (possibly 09.04.x). The issue allows remote authenticated users to inject arbitrary script/HTML through the Screenlet.title or...
CVE-2016-2170
CVE-2016-2170 affects Apache OFBiz where an insecure Java deserialization flaw (via the Apache Commons Collections usage) allows remote execution of arbitrary commands. Affected versions: OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03. Exploitation relies on crafting a serialized Java ...
CVE-2016-6800
CVE-2016-6800 affects the Apache OFBiz blog feature: unsanitized input in the summary/article fields allows injection of arbitrary JavaScript, which is executed in users’ browsers visiting the article. Mitigation is to upgrade to Apache OFBiz 16.11.01. This vulnerability detail is supported by th...
CVE-2014-0232
This CVE affects Apache OFBiz: XSS vulnerabilities exist in the template messages.ftl (framework/common/webcommon/includes/messages.ftl). Affected versions are OFBiz 11.04.01 up to but not including 11.04.05, and 12.04.01 up to but not including 12.04.04. The issue allows remote attackers to inje...
CVE-2019-12426
CVE-2019-12426 affects Apache OFBiz versions 16.11.01 through 16.11.06. An unauthenticated actor could access information on certain backend screens by invoking setSessionLocale, leading to information disclosure. The available connected sources corroborate unauthenticated information exposure in...
CVE-2021-25958
Summary: CVE-2021-25958 affects Apache OFBiz (versions 17.12.01–17.12.07). The issue arises from a try/catch error handling path that leaks sensitive table information in error messages, aiding attacker reconnaissance. The vulnerability is triggered during normal login attempts after a user regis...
CVE-2006-6589
The CVE-2006-6589 entry tracks a cross-site scripting (XSS) vulnerability affecting the ecommerce/control/keywordsearch path in Apache OFBiz and Opentaps 0.9.3, enabling remote injection of script/HTML via the SEARCH_STRING parameter. Connected OpenVAS data confirms HTML injection issues for Open...
CVE-2019-12425
CVE-2019-12425 affects Apache OFBiz 17.12.01 and is described as a Host header injection vulnerability caused by accepting arbitrary Host headers. This is documented across multiple sources (e.g., NVD entry and Red Hat, CNVD, OSV, CVE lists) with the consistent description that OFBiz 17.12.01 is ...
CVE-2019-10074
CVE-2019-10074 affects Apache OFBiz where Freemarker markup in a Form Widget textarea can trigger remote code execution if encoding is disabled on that field (notably in the Customer Request “story” input of Order Manager). Root cause: disabling encoding on a user input field allows untrusted mar...