Ofbiz
by Apache
Source repositories
CVEs (76)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2011-3600 | 0.06 | — | 0.16 | Nov 26, 2019 | The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open… | |||
| CVE-2013-0177 | 0.05 | — | 0.21 | Jan 30, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in widget/screen/ModelScreenWidget.java in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.05, 11.04.01, and possibly 09.04.x allow remote authenticated users to inject arbitrary web script or HTML via the (1)… | |||
| CVE-2010-0432 | 0.05 | — | 0.23 | Apr 15, 2010 | Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 09.04 and earlier, as used in Opentaps, Neogia, and Entente Oya, allow remote attackers to inject arbitrary web script or HTML via (1) the productStoreId parameter to… | |||
| CVE-2022-25813 | 0.04 | — | 0.67 | Sep 2, 2022 | In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party… | |||
| CVE-2019-0235 | 0.03 | — | 0.33 | Apr 30, 2020 | Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks. | |||
| CVE-2022-29063 | 0.02 | — | 0.04 | Sep 2, 2022 | The Solr plugin of Apache OFBiz is configured by default to automatically make a RMI request on localhost, port 1099. In version 18.12.05 and earlier, by hosting a malicious RMI server on localhost, an attacker may exploit this behavior, at server start-up or on a server… | |||
| CVE-2019-0189 | 0.01 | — | 0.24 | Sep 11, 2019 | The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is… | |||
| CVE-2014-0232 | 0.01 | — | 0.08 | Aug 22, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not… | |||
| CVE-2012-1621 | 0.01 | — | 0.10 | Jun 19, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.02 allow remote attackers to inject arbitrary web script or HTML via (1) a parameter array in freemarker templates, the (2) contentId or (3) mapKey parameter… | |||
| CVE-2013-2250 | 0.01 | — | 0.12 | Aug 15, 2013 | Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote attackers to execute arbitrary Unified Expression Language (UEL) functions via JUEL metacharacters in unspecified parameters, related to nested… | |||
| CVE-2013-2137 | 0.01 | — | 0.08 | Aug 15, 2013 | Cross-site scripting (XSS) vulnerability in the "View Log" screen in the Webtools application in Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote attackers to inject arbitrary web script or HTML via… | |||
| CVE-2012-3506 | 0.01 | — | 0.07 | Oct 25, 2012 | Unspecified vulnerability in the Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.03 has unknown impact and attack vectors. | |||
| CVE-2006-6587 | 0.01 | — | 0.08 | Dec 15, 2006 | Cross-site scripting (XSS) vulnerability in the forum implementation in the ecommerce component in the Apache Open For Business Project (OFBiz) allows remote attackers to inject arbitrary web script or HTML by posting a message. | |||
| CVE-2025-61623 | 0.00 | — | 0.01 | Nov 12, 2025 | Reflected cross-site scripting vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recommended to upgrade to version 24.09.03, which fixes the issue. | |||
| CVE-2025-59118 | 0.00 | — | 0.02 | Nov 12, 2025 | Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recommended to upgrade to version 24.09.03, which fixes the issue. | |||
| CVE-2025-54466 | 0.00 | — | 0.14 | Aug 15, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability.… | |||
| CVE-2025-30676 | 0.00 | — | 0.59 | Apr 1, 2025 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.19. Users are recommended to upgrade to version 18.12.19, which fixes the issue. | |||
| CVE-2025-26865 | 0.00 | — | 0.01 | Mar 10, 2025 | Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18. It's a regression between 18.12.17 and 18.12.18. In case you use something like that, which is not… | |||
| CVE-2024-47208 | 0.00 | — | 0.02 | Nov 18, 2024 | Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue. | |||
| CVE-2024-48962 | 0.00 | — | 0.01 | Nov 18, 2024 | Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to… |
- CVE-2011-3600Nov 26, 2019risk 0.06cvss —epss 0.16
The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open…
- CVE-2013-0177Jan 30, 2014risk 0.05cvss —epss 0.21
Multiple cross-site scripting (XSS) vulnerabilities in widget/screen/ModelScreenWidget.java in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.05, 11.04.01, and possibly 09.04.x allow remote authenticated users to inject arbitrary web script or HTML via the (1)…
- CVE-2010-0432Apr 15, 2010risk 0.05cvss —epss 0.23
Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 09.04 and earlier, as used in Opentaps, Neogia, and Entente Oya, allow remote attackers to inject arbitrary web script or HTML via (1) the productStoreId parameter to…
- CVE-2022-25813Sep 2, 2022risk 0.04cvss —epss 0.67
In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party…
- CVE-2019-0235Apr 30, 2020risk 0.03cvss —epss 0.33
Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks.
- CVE-2022-29063Sep 2, 2022risk 0.02cvss —epss 0.04
The Solr plugin of Apache OFBiz is configured by default to automatically make a RMI request on localhost, port 1099. In version 18.12.05 and earlier, by hosting a malicious RMI server on localhost, an attacker may exploit this behavior, at server start-up or on a server…
- CVE-2019-0189Sep 11, 2019risk 0.01cvss —epss 0.24
The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is…
- CVE-2014-0232Aug 22, 2014risk 0.01cvss —epss 0.08
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not…
- CVE-2012-1621Jun 19, 2014risk 0.01cvss —epss 0.10
Multiple cross-site scripting (XSS) vulnerabilities in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.02 allow remote attackers to inject arbitrary web script or HTML via (1) a parameter array in freemarker templates, the (2) contentId or (3) mapKey parameter…
- CVE-2013-2250Aug 15, 2013risk 0.01cvss —epss 0.12
Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote attackers to execute arbitrary Unified Expression Language (UEL) functions via JUEL metacharacters in unspecified parameters, related to nested…
- CVE-2013-2137Aug 15, 2013risk 0.01cvss —epss 0.08
Cross-site scripting (XSS) vulnerability in the "View Log" screen in the Webtools application in Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote attackers to inject arbitrary web script or HTML via…
- CVE-2012-3506Oct 25, 2012risk 0.01cvss —epss 0.07
Unspecified vulnerability in the Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.03 has unknown impact and attack vectors.
- CVE-2006-6587Dec 15, 2006risk 0.01cvss —epss 0.08
Cross-site scripting (XSS) vulnerability in the forum implementation in the ecommerce component in the Apache Open For Business Project (OFBiz) allows remote attackers to inject arbitrary web script or HTML by posting a message.
- CVE-2025-61623Nov 12, 2025risk 0.00cvss —epss 0.01
Reflected cross-site scripting vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recommended to upgrade to version 24.09.03, which fixes the issue.
- CVE-2025-59118Nov 12, 2025risk 0.00cvss —epss 0.02
Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recommended to upgrade to version 24.09.03, which fixes the issue.
- CVE-2025-54466Aug 15, 2025risk 0.00cvss —epss 0.14
Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability.…
- CVE-2025-30676Apr 1, 2025risk 0.00cvss —epss 0.59
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.19. Users are recommended to upgrade to version 18.12.19, which fixes the issue.
- CVE-2025-26865Mar 10, 2025risk 0.00cvss —epss 0.01
Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18. It's a regression between 18.12.17 and 18.12.18. In case you use something like that, which is not…
- CVE-2024-47208Nov 18, 2024risk 0.00cvss —epss 0.02
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue.
- CVE-2024-48962Nov 18, 2024risk 0.00cvss —epss 0.01
Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to…
Page 3 of 4