VYPR

Ofbiz

by Apache

Source repositories

CVEs (76)

  • CVE-2024-23946Feb 28, 2024
    risk 0.00cvss epss 0.03

    Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue.

  • CVE-2024-25065Feb 28, 2024
    risk 0.00cvss epss 0.48

    Possible path traversal in Apache OFBiz allowing authentication bypass. Users are recommended to upgrade to version 18.12.12, that fixes the issue.

  • CVE-2023-46819Nov 7, 2023
    risk 0.00cvss epss 0.02

    Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin. This issue affects Apache OFBiz: before 18.12.09.  Users are recommended to upgrade to version 18.12.09

  • CVE-2022-29158Sep 2, 2022
    risk 0.00cvss epss 0.02

    Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599

  • CVE-2022-25371Sep 2, 2022
    risk 0.00cvss epss 0.04

    Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. By leveraging a bug in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142) it is possible to perform a remote code execution (RCE) attack in…

  • CVE-2022-25370Sep 2, 2022
    risk 0.00cvss epss 0.02

    Apache OFBiz uses the Birt plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. In Apache OFBiz release 18.12.05, and earlier versions, by leveraging a vulnerability in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142), an…

  • CVE-2021-25958Aug 30, 2021
    risk 0.00cvss epss 0.03

    In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info which may aid the attacker for further recon. A user can register with a very long password, but when he tries to login with…

  • CVE-2021-37608Aug 18, 2021
    risk 0.00cvss epss 0.06

    Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands. This issue affects Apache OFBiz version 17.12.07 and prior versions. Upgrade to at least 17.12.08 or apply patches at…

  • CVE-2020-13923Jul 15, 2020
    risk 0.00cvss epss 0.05

    IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04

  • CVE-2019-12425Apr 30, 2020
    risk 0.00cvss epss 0.05

    Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host

  • CVE-2019-12426Feb 6, 2020
    risk 0.00cvss epss 0.05

    an unauthenticated user could get access to information of some backend screens by invoking setSessionLocale in Apache OFBiz 16.11.01 to 16.11.06

  • CVE-2019-10074Sep 11, 2019
    risk 0.00cvss epss 0.03

    An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good…

  • CVE-2019-10073Sep 11, 2019
    risk 0.00cvss epss 0.05

    The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache OFBiz are weak to Stored XSS attacks. Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16.11: 1858438, 1858543, 1860595 and 1860616

  • CVE-2018-17200Sep 11, 2019
    risk 0.00cvss epss 0.05

    The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. This service takes the `serviceContent` parameter in the request and deserializes it using XStream. This `XStream`…

  • CVE-2006-6588Dec 15, 2006
    risk 0.00cvss epss 0.02

    The forum implementation in the ecommerce component in the Apache Open For Business Project (OFBiz) trusts the (1) dataResourceTypeId, (2) contentTypeId, and certain other hidden form fields, which allows remote attackers to create unauthorized types of content, modify content,…

  • CVE-2006-6589Dec 15, 2006
    risk 0.00cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in ecommerce/control/keywordsearch in the Apache Open For Business Project (OFBiz) and Opentaps 0.9.3 allows remote attackers to inject arbitrary web script or HTML via the SEARCH_STRING parameter, a different issue than CVE-2006-6587.…

Page 4 of 4