VYPR

Apache OFBiz

by Apache

CVEs (32)

  • CVE-2024-32113KEVMay 8, 2024
    Apache
    Ofbiz
    risk 0.23cvss epss 0.94

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue.

  • CVE-2024-45195KEVSep 4, 2024
    Apache
    Ofbiz
    risk 0.20cvss epss 0.94

    Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.

  • CVE-2024-38856KEVAug 5, 2024
    Apache
    Ofbiz
    risk 0.16cvss epss 0.94

    Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some…

  • CVE-2023-51467Dec 26, 2023
    Apache
    Ofbiz
    risk 0.11cvss epss 0.94

    The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code

  • CVE-2023-49070Dec 5, 2023
    Apache
    Ofbiz
    risk 0.11cvss epss 0.94

    Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10.  Users are recommended to upgrade to version 18.12.10

  • CVE-2021-26295Mar 22, 2021
    Apache
    Ofbiz
    risk 0.11cvss epss 0.94

    Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.

  • CVE-2024-45507Sep 4, 2024
    Apache
    Ofbiz
    risk 0.07cvss epss 0.90

    Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.

  • CVE-2024-36104Jun 4, 2024
    Apache
    Ofbiz
    risk 0.07cvss epss 0.93

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue.

  • CVE-2023-50968Dec 26, 2023
    Ofbiz
    Ofbiz
    risk 0.07cvss epss 0.84

    Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version…

  • CVE-2022-47501Apr 14, 2023
    Apache
    Ofbiz
    risk 0.07cvss epss 0.86

    Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a  pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.

  • CVE-2021-30128Apr 27, 2021
    Apache
    Apache OFBiz
    risk 0.07cvss epss 0.93

    Apache OFBiz has unsafe deserialization prior to 17.12.07 version

  • CVE-2021-29200Apr 27, 2021
    Apache
    Apache OFBiz
    risk 0.07cvss epss 0.93

    Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack

  • CVE-2020-1943Apr 1, 2020
    Apache
    Apache OFBiz
    risk 0.07cvss epss 0.84

    Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07.

  • CVE-2022-25813Sep 2, 2022
    Apache
    Apache OFBiz
    risk 0.04cvss epss 0.54

    In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party…

  • CVE-2019-0235Apr 30, 2020
    Apache
    Apache OFBiz
    risk 0.03cvss epss 0.05

    Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks.

  • CVE-2022-29063Sep 2, 2022
    Apache
    Apache OFBiz
    risk 0.02cvss epss 0.21

    The Solr plugin of Apache OFBiz is configured by default to automatically make a RMI request on localhost, port 1099. In version 18.12.05 and earlier, by hosting a malicious RMI server on localhost, an attacker may exploit this behavior, at server start-up or on a server…

  • CVE-2025-61623Nov 12, 2025
    Apache
    Ofbiz
    risk 0.00cvss epss 0.00

    Reflected cross-site scripting vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recommended to upgrade to version 24.09.03, which fixes the issue.

  • CVE-2025-59118Nov 12, 2025
    Apache
    Ofbiz
    risk 0.00cvss epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recommended to upgrade to version 24.09.03, which fixes the issue.

  • CVE-2025-54466Aug 15, 2025
    Apache
    Ofbiz
    risk 0.00cvss epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability.…

  • CVE-2025-30676Apr 1, 2025
    Apache
    Ofbiz
    risk 0.00cvss epss 0.03

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.19. Users are recommended to upgrade to version 18.12.19, which fixes the issue.

Page 1 of 2