Ofbiz
by Apache
Source repositories
CVEs (76)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-23946 | 0.00 | — | 0.03 | Feb 28, 2024 | Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue. | |||
| CVE-2024-25065 | 0.00 | — | 0.48 | Feb 28, 2024 | Possible path traversal in Apache OFBiz allowing authentication bypass. Users are recommended to upgrade to version 18.12.12, that fixes the issue. | |||
| CVE-2023-46819 | 0.00 | — | 0.02 | Nov 7, 2023 | Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin. This issue affects Apache OFBiz: before 18.12.09. Users are recommended to upgrade to version 18.12.09 | |||
| CVE-2022-29158 | 0.00 | — | 0.02 | Sep 2, 2022 | Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599 | |||
| CVE-2022-25371 | 0.00 | — | 0.04 | Sep 2, 2022 | Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. By leveraging a bug in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142) it is possible to perform a remote code execution (RCE) attack in… | |||
| CVE-2022-25370 | 0.00 | — | 0.02 | Sep 2, 2022 | Apache OFBiz uses the Birt plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. In Apache OFBiz release 18.12.05, and earlier versions, by leveraging a vulnerability in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142), an… | |||
| CVE-2021-25958 | 0.00 | — | 0.03 | Aug 30, 2021 | In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info which may aid the attacker for further recon. A user can register with a very long password, but when he tries to login with… | |||
| CVE-2021-37608 | 0.00 | — | 0.06 | Aug 18, 2021 | Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands. This issue affects Apache OFBiz version 17.12.07 and prior versions. Upgrade to at least 17.12.08 or apply patches at… | |||
| CVE-2020-13923 | 0.00 | — | 0.05 | Jul 15, 2020 | IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04 | |||
| CVE-2019-12425 | 0.00 | — | 0.05 | Apr 30, 2020 | Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host | |||
| CVE-2019-12426 | 0.00 | — | 0.05 | Feb 6, 2020 | an unauthenticated user could get access to information of some backend screens by invoking setSessionLocale in Apache OFBiz 16.11.01 to 16.11.06 | |||
| CVE-2019-10074 | 0.00 | — | 0.03 | Sep 11, 2019 | An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good… | |||
| CVE-2019-10073 | 0.00 | — | 0.05 | Sep 11, 2019 | The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache OFBiz are weak to Stored XSS attacks. Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16.11: 1858438, 1858543, 1860595 and 1860616 | |||
| CVE-2018-17200 | 0.00 | — | 0.05 | Sep 11, 2019 | The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. This service takes the `serviceContent` parameter in the request and deserializes it using XStream. This `XStream`… | |||
| CVE-2006-6588 | 0.00 | — | 0.02 | Dec 15, 2006 | The forum implementation in the ecommerce component in the Apache Open For Business Project (OFBiz) trusts the (1) dataResourceTypeId, (2) contentTypeId, and certain other hidden form fields, which allows remote attackers to create unauthorized types of content, modify content,… | |||
| CVE-2006-6589 | 0.00 | — | 0.03 | Dec 15, 2006 | Cross-site scripting (XSS) vulnerability in ecommerce/control/keywordsearch in the Apache Open For Business Project (OFBiz) and Opentaps 0.9.3 allows remote attackers to inject arbitrary web script or HTML via the SEARCH_STRING parameter, a different issue than CVE-2006-6587.… |
- CVE-2024-23946Feb 28, 2024risk 0.00cvss —epss 0.03
Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue.
- CVE-2024-25065Feb 28, 2024risk 0.00cvss —epss 0.48
Possible path traversal in Apache OFBiz allowing authentication bypass. Users are recommended to upgrade to version 18.12.12, that fixes the issue.
- CVE-2023-46819Nov 7, 2023risk 0.00cvss —epss 0.02
Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin. This issue affects Apache OFBiz: before 18.12.09. Users are recommended to upgrade to version 18.12.09
- CVE-2022-29158Sep 2, 2022risk 0.00cvss —epss 0.02
Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599
- CVE-2022-25371Sep 2, 2022risk 0.00cvss —epss 0.04
Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. By leveraging a bug in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142) it is possible to perform a remote code execution (RCE) attack in…
- CVE-2022-25370Sep 2, 2022risk 0.00cvss —epss 0.02
Apache OFBiz uses the Birt plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. In Apache OFBiz release 18.12.05, and earlier versions, by leveraging a vulnerability in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142), an…
- CVE-2021-25958Aug 30, 2021risk 0.00cvss —epss 0.03
In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info which may aid the attacker for further recon. A user can register with a very long password, but when he tries to login with…
- CVE-2021-37608Aug 18, 2021risk 0.00cvss —epss 0.06
Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands. This issue affects Apache OFBiz version 17.12.07 and prior versions. Upgrade to at least 17.12.08 or apply patches at…
- CVE-2020-13923Jul 15, 2020risk 0.00cvss —epss 0.05
IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04
- CVE-2019-12425Apr 30, 2020risk 0.00cvss —epss 0.05
Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host
- CVE-2019-12426Feb 6, 2020risk 0.00cvss —epss 0.05
an unauthenticated user could get access to information of some backend screens by invoking setSessionLocale in Apache OFBiz 16.11.01 to 16.11.06
- CVE-2019-10074Sep 11, 2019risk 0.00cvss —epss 0.03
An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good…
- CVE-2019-10073Sep 11, 2019risk 0.00cvss —epss 0.05
The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache OFBiz are weak to Stored XSS attacks. Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16.11: 1858438, 1858543, 1860595 and 1860616
- CVE-2018-17200Sep 11, 2019risk 0.00cvss —epss 0.05
The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. This service takes the `serviceContent` parameter in the request and deserializes it using XStream. This `XStream`…
- CVE-2006-6588Dec 15, 2006risk 0.00cvss —epss 0.02
The forum implementation in the ecommerce component in the Apache Open For Business Project (OFBiz) trusts the (1) dataResourceTypeId, (2) contentTypeId, and certain other hidden form fields, which allows remote attackers to create unauthorized types of content, modify content,…
- CVE-2006-6589Dec 15, 2006risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in ecommerce/control/keywordsearch in the Apache Open For Business Project (OFBiz) and Opentaps 0.9.3 allows remote attackers to inject arbitrary web script or HTML via the SEARCH_STRING parameter, a different issue than CVE-2006-6587.…
Page 4 of 4