VYPR
Unrated severityNVD Advisory· Published Dec 13, 2018· Updated Aug 5, 2024

CVE-2018-8033

CVE-2018-8033

Description

In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitation occurs by having DOCTYPEs pointing to external references that trigger a payload that returns secret information from the host.

Affected products

2
  • Apache/Ofbizllm-fuzzy2 versions
    >=16.11.01 <=16.11.04+ 1 more
    • (no CPE)range: >=16.11.01 <=16.11.04
    • (no CPE)range: Apache OFBiz 16.11.01 to 16.11.04

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.