Ofbiz
by Apache
Source repositories
CVEs (76)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-31379 | Med | 0.40 | 6.1 | 0.01 | May 19, 2026 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects… | ||
| CVE-2016-6800 | Med | 0.40 | 6.1 | 0.03 | Aug 30, 2017 | The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs which are related to specific parties. In the form field for the creation of new blog articles the user input of the summary field as well as the… | ||
| CVE-2015-3268 | Med | 0.40 | 6.1 | 0.09 | Apr 12, 2016 | Cross-site scripting (XSS) vulnerability in the DisplayEntityField.getDescription method in ModelFormField.java in Apache OFBiz before 12.04.06 and 13.07.x before 13.07.03 allows remote attackers to inject arbitrary web script or HTML via the description attribute of a… | ||
| CVE-2026-31388 | Med | 0.34 | 5.3 | 0.00 | May 19, 2026 | Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | ||
| CVE-2026-31387 | Med | 0.34 | 5.3 | 0.01 | May 19, 2026 | Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | ||
| CVE-2024-32113 | 0.23 | — | 0.99 | KEV | May 8, 2024 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue. | ||
| CVE-2024-45195 | 0.20 | — | 1.00 | KEV | Sep 4, 2024 | Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. | ||
| CVE-2024-38856 | 0.16 | — | 0.99 | KEV | Aug 5, 2024 | Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some… | ||
| CVE-2023-51467 | 0.11 | — | 0.96 | Dec 26, 2023 | The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code | |||
| CVE-2023-49070 | 0.11 | — | 0.95 | Dec 5, 2023 | Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10 | |||
| CVE-2021-26295 | 0.11 | — | 0.98 | Mar 22, 2021 | Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz. | |||
| CVE-2020-9496 | 0.11 | — | 0.99 | Jul 15, 2020 | XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03 | |||
| CVE-2024-45507 | 0.07 | — | 0.93 | Sep 4, 2024 | Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. | |||
| CVE-2024-36104 | 0.07 | — | 0.88 | Jun 4, 2024 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue. | |||
| CVE-2023-50968 | 0.07 | — | 0.63 | Dec 26, 2023 | Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version… | |||
| CVE-2022-47501 | 0.07 | — | 0.10 | Apr 14, 2023 | Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07. | |||
| CVE-2021-30128 | 0.07 | — | 0.81 | Apr 27, 2021 | Apache OFBiz has unsafe deserialization prior to 17.12.07 version | |||
| CVE-2021-29200 | 0.07 | — | 0.55 | Apr 27, 2021 | Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack | |||
| CVE-2020-1943 | 0.07 | — | 0.97 | Apr 1, 2020 | Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07. | |||
| CVE-2018-8033 | 0.07 | — | 0.26 | Dec 13, 2018 | In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters:… |
- risk 0.40cvss 6.1epss 0.01
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects…
- risk 0.40cvss 6.1epss 0.03
The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs which are related to specific parties. In the form field for the creation of new blog articles the user input of the summary field as well as the…
- risk 0.40cvss 6.1epss 0.09
Cross-site scripting (XSS) vulnerability in the DisplayEntityField.getDescription method in ModelFormField.java in Apache OFBiz before 12.04.06 and 13.07.x before 13.07.03 allows remote attackers to inject arbitrary web script or HTML via the description attribute of a…
- risk 0.34cvss 5.3epss 0.00
Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
- risk 0.34cvss 5.3epss 0.01
Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
- risk 0.23cvss —epss 0.99
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue.
- risk 0.20cvss —epss 1.00
Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.
- risk 0.16cvss —epss 0.99
Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some…
- CVE-2023-51467Dec 26, 2023risk 0.11cvss —epss 0.96
The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code
- CVE-2023-49070Dec 5, 2023risk 0.11cvss —epss 0.95
Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10
- CVE-2021-26295Mar 22, 2021risk 0.11cvss —epss 0.98
Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.
- CVE-2020-9496Jul 15, 2020risk 0.11cvss —epss 0.99
XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03
- CVE-2024-45507Sep 4, 2024risk 0.07cvss —epss 0.93
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.
- CVE-2024-36104Jun 4, 2024risk 0.07cvss —epss 0.88
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue.
- CVE-2023-50968Dec 26, 2023risk 0.07cvss —epss 0.63
Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version…
- CVE-2022-47501Apr 14, 2023risk 0.07cvss —epss 0.10
Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.
- CVE-2021-30128Apr 27, 2021risk 0.07cvss —epss 0.81
Apache OFBiz has unsafe deserialization prior to 17.12.07 version
- CVE-2021-29200Apr 27, 2021risk 0.07cvss —epss 0.55
Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack
- CVE-2020-1943Apr 1, 2020risk 0.07cvss —epss 0.97
Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07.
- CVE-2018-8033Dec 13, 2018risk 0.07cvss —epss 0.26
In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters:…
Page 2 of 4