Refine your search
12 vulnerabilities found for ofbiz by apache
CVE-2025-61623 (GCVE-0-2025-61623)
Vulnerability from nvd
Published
2025-11-12 09:16
Modified
2025-11-12 14:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Reflected cross-site scripting vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.03.
Users are recommended to upgrade to version 24.09.03, which fixes the issue.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-12T10:06:02.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/11/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-61623",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:29:21.144167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T14:29:43.400Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "24.09.03",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "RedHive Team (security@hive.red) https://hive.red/en/"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eReflected cross-site scripting vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 24.09.03.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 24.09.03, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Reflected cross-site scripting vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 24.09.03.\n\nUsers are recommended to upgrade to version 24.09.03, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T09:16:58.139Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13295"
},
{
"tags": [
"mitigation"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"release-notes"
],
"url": "https://ofbiz.apache.org/release-notes-24.09.03.html"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/sb2mngrg766qbqt5g29fo0qblk3v4x5y"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Reflected Cross-site Scripting",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-61623",
"datePublished": "2025-11-12T09:16:58.139Z",
"dateReserved": "2025-09-29T07:04:49.932Z",
"dateUpdated": "2025-11-12T14:29:43.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59118 (GCVE-0-2025-59118)
Vulnerability from nvd
Published
2025-11-12 09:15
Modified
2025-11-12 14:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.03.
Users are recommended to upgrade to version 24.09.03, which fixes the issue.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Version: 0 < 24.09.03 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-12T10:06:00.568Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/11/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-59118",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:31:40.016692Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T14:31:48.367Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "24.09.03",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "RedHive Team (security@hive.red) https://hive.red/en/"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUnrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 24.09.03.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 24.09.03, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 24.09.03.\n\nUsers are recommended to upgrade to version 24.09.03, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T09:15:54.263Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"release-notes"
],
"url": "https://ofbiz.apache.org/release-notes-24.09.03.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13292"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/202263kpy7g76pzsy1fm96h9lcmhsqpt"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Critical Remote Command Execution via Unrestricted File Upload",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-59118",
"datePublished": "2025-11-12T09:15:54.263Z",
"dateReserved": "2025-09-09T09:57:31.247Z",
"dateUpdated": "2025-11-12T14:31:48.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54466 (GCVE-0-2025-54466)
Vulnerability from nvd
Published
2025-08-15 14:13
Modified
2025-11-04 21:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.
This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used.
Even unauthenticated attackers can exploit this vulnerability.
Users are recommended to upgrade to version 24.09.02, which fixes the issue.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Version: 0 < 24.09.02 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-54466",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-18T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-19T03:55:29.855Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:12:47.762Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/05/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "24.09.02",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Teeramet Eakwilai \u003cteeramet@datafarm.co.th\u003e"
},
{
"lang": "en",
"type": "finder",
"value": "Thanasin Luangpipat"
},
{
"lang": "en",
"type": "finder",
"value": "Jarukit Auikritskul"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability leading to a possible RCE in Apache OFBiz\u0026nbsp;scrum plugin.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache OFBiz: before 24.09.02 only when the\u0026nbsp;scrum plugin is used.\u003c/p\u003e\u003cp\u003eEven unauthenticated attackers can exploit this vulnerability.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 24.09.02, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability leading to a possible RCE in Apache OFBiz\u00a0scrum plugin.\n\nThis issue affects Apache OFBiz: before 24.09.02 only when the\u00a0scrum plugin is used.\n\nEven unauthenticated attackers can exploit this vulnerability.\n\n\nUsers are recommended to upgrade to version 24.09.02, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T14:13:52.584Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"related"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"release-notes"
],
"url": "https://ofbiz.apache.org/release-notes-24.09.02.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13276"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/14d0yd9co9gx2mctd3vyz1cc8d39n915"
}
],
"source": {
"defect": [
"OFBIZ-13276"
],
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: RCE Vulnerability in scrum plugin",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-54466",
"datePublished": "2025-08-15T14:13:52.584Z",
"dateReserved": "2025-07-23T08:08:20.796Z",
"dateUpdated": "2025-11-04T21:12:47.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45195 (GCVE-0-2024-45195)
Vulnerability from nvd
Published
2024-09-04 08:08
Modified
2025-10-21 22:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-425 - Direct Request ('Forced Browsing')
Summary
Direct Request ('Forced Browsing') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.16.
Users are recommended to upgrade to version 18.12.16, which fixes the issue.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Version: 0 < 18.12.16 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-09-04T09:03:00.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/03/6"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ofbiz",
"vendor": "apache",
"versions": [
{
"lessThan": "18.12.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45195",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T15:46:50.643589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-02-04",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45195"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:46.145Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45195"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-04T00:00:00+00:00",
"value": "CVE-2024-45195 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "18.12.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "shin24 from National Cyber Security Vietnam"
},
{
"lang": "en",
"type": "finder",
"value": "LuanPV from National Cyber Security Vietnam"
},
{
"lang": "en",
"type": "finder",
"value": "Ryan Emmons, Lead Security Researcher at Rapid7"
},
{
"lang": "en",
"type": "finder",
"value": "Hasib Vhora, Senior Threat Researcher, SonicWall"
},
{
"lang": "en",
"type": "finder",
"value": "Xenc from SGLAB of Legendsec at Qi\u0027anxin Group"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDirect Request (\u0027Forced Browsing\u0027) vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 18.12.16.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.16, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Direct Request (\u0027Forced Browsing\u0027) vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.16.\n\nUsers are recommended to upgrade to version 18.12.16, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-425",
"description": "CWE-425 Direct Request (\u0027Forced Browsing\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T08:08:59.201Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation",
"product",
"release-notes"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13130"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Confused controller-view authorization logic (forced browsing)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45195",
"datePublished": "2024-09-04T08:08:59.201Z",
"dateReserved": "2024-08-22T15:19:27.892Z",
"dateUpdated": "2025-10-21T22:55:46.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38856 (GCVE-0-2024-38856)
Vulnerability from nvd
Published
2024-08-05 08:20
Modified
2025-10-21 22:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Incorrect Authorization vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: through 18.12.14.
Users are recommended to upgrade to version 18.12.15, which fixes the issue.
Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Version: 0 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:02:45.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/04/1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ofbiz",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "18.12.14",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-38856",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-31T03:55:28.345914Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-08-27",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38856"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:48.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38856"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-27T00:00:00+00:00",
"value": "CVE-2024-38856 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "18.12.14",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "unam4"
},
{
"lang": "en",
"type": "finder",
"value": "ruozhi"
},
{
"lang": "en",
"type": "finder",
"value": "m1sn0w"
},
{
"lang": "en",
"type": "finder",
"value": "kuiplatain"
},
{
"lang": "en",
"type": "finder",
"value": "PaperPen@Timeline Sec"
},
{
"lang": "en",
"type": "finder",
"value": "RacerZ"
},
{
"lang": "en",
"type": "finder",
"value": "e0mlja"
},
{
"lang": "en",
"type": "finder",
"value": "Donghyun"
},
{
"lang": "en",
"type": "finder",
"value": "4ra1n"
},
{
"lang": "en",
"type": "finder",
"value": "godspeed"
},
{
"lang": "en",
"type": "finder",
"value": "Hasib Vhora"
},
{
"lang": "en",
"type": "finder",
"value": "pwnull"
},
{
"lang": "en",
"type": "finder",
"value": "blckder02-YHLab"
},
{
"lang": "en",
"type": "finder",
"value": "Xenc from SGLAB of Legendsec at Qi\u0027anxin Group"
},
{
"lang": "en",
"type": "finder",
"value": "Nicholas Zubrisky."
},
{
"lang": "en",
"type": "finder",
"value": "Y4tacker"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Authorization vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: through 18.12.14.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.15, which fixes the issue.\u003c/p\u003eUnauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don\u0027t explicitly check user\u0027s permissions because they rely on the configuration of their endpoints).\u003cbr\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: through 18.12.14.\n\nUsers are recommended to upgrade to version 18.12.15, which fixes the issue.\n\nUnauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don\u0027t explicitly check user\u0027s permissions because they rely on the configuration of their endpoints)."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T08:20:18.081Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"product",
"mitigation"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"related"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13128"
}
],
"source": {
"defect": [
"OFBIZ-13128"
],
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Unauthenticated endpoint could allow execution of screen rendering code",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-38856",
"datePublished": "2024-08-05T08:20:18.081Z",
"dateReserved": "2024-06-20T07:28:36.680Z",
"dateUpdated": "2025-10-21T22:55:48.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32113 (GCVE-0-2024-32113)
Vulnerability from nvd
Published
2024-05-08 14:50
Modified
2025-10-21 23:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13.
Users are recommended to upgrade to version 18.12.13, which fixes the issue.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Version: 0 < 18.12.13 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ofbiz",
"vendor": "apache",
"versions": [
{
"lessThan": "18.12.13",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-32113",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T03:55:24.439277Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-08-07",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-32113"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:05:18.831Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-32113"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-07T00:00:00+00:00",
"value": "CVE-2024-32113 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:06:44.061Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"mitigation",
"x_transferred"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13006"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/05/09/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "18.12.13",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qiyi Zhang (RacerZ) @secsys from Fudan"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Apache OFBiz.\u003cp\u003eThis issue affects Apache OFBiz: before 18.12.13.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.13, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13.\n\nUsers are recommended to upgrade to version 18.12.13, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T18:07:35.107Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"related"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13006"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/05/09/1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Path traversal leading to RCE",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-32113",
"datePublished": "2024-05-08T14:50:07.272Z",
"dateReserved": "2024-04-11T06:42:13.766Z",
"dateUpdated": "2025-10-21T23:05:18.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61623 (GCVE-0-2025-61623)
Vulnerability from cvelistv5
Published
2025-11-12 09:16
Modified
2025-11-12 14:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Reflected cross-site scripting vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.03.
Users are recommended to upgrade to version 24.09.03, which fixes the issue.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-12T10:06:02.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/11/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-61623",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:29:21.144167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T14:29:43.400Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "24.09.03",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "RedHive Team (security@hive.red) https://hive.red/en/"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eReflected cross-site scripting vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 24.09.03.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 24.09.03, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Reflected cross-site scripting vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 24.09.03.\n\nUsers are recommended to upgrade to version 24.09.03, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T09:16:58.139Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13295"
},
{
"tags": [
"mitigation"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"release-notes"
],
"url": "https://ofbiz.apache.org/release-notes-24.09.03.html"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/sb2mngrg766qbqt5g29fo0qblk3v4x5y"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Reflected Cross-site Scripting",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-61623",
"datePublished": "2025-11-12T09:16:58.139Z",
"dateReserved": "2025-09-29T07:04:49.932Z",
"dateUpdated": "2025-11-12T14:29:43.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59118 (GCVE-0-2025-59118)
Vulnerability from cvelistv5
Published
2025-11-12 09:15
Modified
2025-11-12 14:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.03.
Users are recommended to upgrade to version 24.09.03, which fixes the issue.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Version: 0 < 24.09.03 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-12T10:06:00.568Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/11/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-59118",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:31:40.016692Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T14:31:48.367Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "24.09.03",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "RedHive Team (security@hive.red) https://hive.red/en/"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUnrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 24.09.03.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 24.09.03, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 24.09.03.\n\nUsers are recommended to upgrade to version 24.09.03, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T09:15:54.263Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"release-notes"
],
"url": "https://ofbiz.apache.org/release-notes-24.09.03.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13292"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/202263kpy7g76pzsy1fm96h9lcmhsqpt"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Critical Remote Command Execution via Unrestricted File Upload",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-59118",
"datePublished": "2025-11-12T09:15:54.263Z",
"dateReserved": "2025-09-09T09:57:31.247Z",
"dateUpdated": "2025-11-12T14:31:48.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54466 (GCVE-0-2025-54466)
Vulnerability from cvelistv5
Published
2025-08-15 14:13
Modified
2025-11-04 21:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.
This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used.
Even unauthenticated attackers can exploit this vulnerability.
Users are recommended to upgrade to version 24.09.02, which fixes the issue.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Version: 0 < 24.09.02 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-54466",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-18T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-19T03:55:29.855Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:12:47.762Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/05/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "24.09.02",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Teeramet Eakwilai \u003cteeramet@datafarm.co.th\u003e"
},
{
"lang": "en",
"type": "finder",
"value": "Thanasin Luangpipat"
},
{
"lang": "en",
"type": "finder",
"value": "Jarukit Auikritskul"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability leading to a possible RCE in Apache OFBiz\u0026nbsp;scrum plugin.\u003cbr\u003e\u003cbr\u003eThis issue affects Apache OFBiz: before 24.09.02 only when the\u0026nbsp;scrum plugin is used.\u003c/p\u003e\u003cp\u003eEven unauthenticated attackers can exploit this vulnerability.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 24.09.02, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability leading to a possible RCE in Apache OFBiz\u00a0scrum plugin.\n\nThis issue affects Apache OFBiz: before 24.09.02 only when the\u00a0scrum plugin is used.\n\nEven unauthenticated attackers can exploit this vulnerability.\n\n\nUsers are recommended to upgrade to version 24.09.02, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T14:13:52.584Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"related"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"release-notes"
],
"url": "https://ofbiz.apache.org/release-notes-24.09.02.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13276"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/14d0yd9co9gx2mctd3vyz1cc8d39n915"
}
],
"source": {
"defect": [
"OFBIZ-13276"
],
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: RCE Vulnerability in scrum plugin",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-54466",
"datePublished": "2025-08-15T14:13:52.584Z",
"dateReserved": "2025-07-23T08:08:20.796Z",
"dateUpdated": "2025-11-04T21:12:47.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45195 (GCVE-0-2024-45195)
Vulnerability from cvelistv5
Published
2024-09-04 08:08
Modified
2025-10-21 22:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-425 - Direct Request ('Forced Browsing')
Summary
Direct Request ('Forced Browsing') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.16.
Users are recommended to upgrade to version 18.12.16, which fixes the issue.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Version: 0 < 18.12.16 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-09-04T09:03:00.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/03/6"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ofbiz",
"vendor": "apache",
"versions": [
{
"lessThan": "18.12.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45195",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T15:46:50.643589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-02-04",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45195"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:46.145Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45195"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-04T00:00:00+00:00",
"value": "CVE-2024-45195 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "18.12.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "shin24 from National Cyber Security Vietnam"
},
{
"lang": "en",
"type": "finder",
"value": "LuanPV from National Cyber Security Vietnam"
},
{
"lang": "en",
"type": "finder",
"value": "Ryan Emmons, Lead Security Researcher at Rapid7"
},
{
"lang": "en",
"type": "finder",
"value": "Hasib Vhora, Senior Threat Researcher, SonicWall"
},
{
"lang": "en",
"type": "finder",
"value": "Xenc from SGLAB of Legendsec at Qi\u0027anxin Group"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDirect Request (\u0027Forced Browsing\u0027) vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: before 18.12.16.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.16, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Direct Request (\u0027Forced Browsing\u0027) vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.16.\n\nUsers are recommended to upgrade to version 18.12.16, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-425",
"description": "CWE-425 Direct Request (\u0027Forced Browsing\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T08:08:59.201Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation",
"product",
"release-notes"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"patch"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13130"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Confused controller-view authorization logic (forced browsing)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45195",
"datePublished": "2024-09-04T08:08:59.201Z",
"dateReserved": "2024-08-22T15:19:27.892Z",
"dateUpdated": "2025-10-21T22:55:46.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38856 (GCVE-0-2024-38856)
Vulnerability from cvelistv5
Published
2024-08-05 08:20
Modified
2025-10-21 22:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Incorrect Authorization vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: through 18.12.14.
Users are recommended to upgrade to version 18.12.15, which fixes the issue.
Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Version: 0 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:02:45.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/04/1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ofbiz",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "18.12.14",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-38856",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-31T03:55:28.345914Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-08-27",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38856"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:48.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38856"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-27T00:00:00+00:00",
"value": "CVE-2024-38856 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "18.12.14",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "unam4"
},
{
"lang": "en",
"type": "finder",
"value": "ruozhi"
},
{
"lang": "en",
"type": "finder",
"value": "m1sn0w"
},
{
"lang": "en",
"type": "finder",
"value": "kuiplatain"
},
{
"lang": "en",
"type": "finder",
"value": "PaperPen@Timeline Sec"
},
{
"lang": "en",
"type": "finder",
"value": "RacerZ"
},
{
"lang": "en",
"type": "finder",
"value": "e0mlja"
},
{
"lang": "en",
"type": "finder",
"value": "Donghyun"
},
{
"lang": "en",
"type": "finder",
"value": "4ra1n"
},
{
"lang": "en",
"type": "finder",
"value": "godspeed"
},
{
"lang": "en",
"type": "finder",
"value": "Hasib Vhora"
},
{
"lang": "en",
"type": "finder",
"value": "pwnull"
},
{
"lang": "en",
"type": "finder",
"value": "blckder02-YHLab"
},
{
"lang": "en",
"type": "finder",
"value": "Xenc from SGLAB of Legendsec at Qi\u0027anxin Group"
},
{
"lang": "en",
"type": "finder",
"value": "Nicholas Zubrisky."
},
{
"lang": "en",
"type": "finder",
"value": "Y4tacker"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Authorization vulnerability in Apache OFBiz.\u003c/p\u003e\u003cp\u003eThis issue affects Apache OFBiz: through 18.12.14.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.15, which fixes the issue.\u003c/p\u003eUnauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don\u0027t explicitly check user\u0027s permissions because they rely on the configuration of their endpoints).\u003cbr\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: through 18.12.14.\n\nUsers are recommended to upgrade to version 18.12.15, which fixes the issue.\n\nUnauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don\u0027t explicitly check user\u0027s permissions because they rely on the configuration of their endpoints)."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T08:20:18.081Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"product",
"mitigation"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"related"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13128"
}
],
"source": {
"defect": [
"OFBIZ-13128"
],
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Unauthenticated endpoint could allow execution of screen rendering code",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-38856",
"datePublished": "2024-08-05T08:20:18.081Z",
"dateReserved": "2024-06-20T07:28:36.680Z",
"dateUpdated": "2025-10-21T22:55:48.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32113 (GCVE-0-2024-32113)
Vulnerability from cvelistv5
Published
2024-05-08 14:50
Modified
2025-10-21 23:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13.
Users are recommended to upgrade to version 18.12.13, which fixes the issue.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Version: 0 < 18.12.13 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ofbiz",
"vendor": "apache",
"versions": [
{
"lessThan": "18.12.13",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-32113",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T03:55:24.439277Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-08-07",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-32113"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:05:18.831Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-32113"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-07T00:00:00+00:00",
"value": "CVE-2024-32113 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:06:44.061Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"mitigation",
"x_transferred"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13006"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/05/09/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "18.12.13",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qiyi Zhang (RacerZ) @secsys from Fudan"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Apache OFBiz.\u003cp\u003eThis issue affects Apache OFBiz: before 18.12.13.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 18.12.13, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13.\n\nUsers are recommended to upgrade to version 18.12.13, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T18:07:35.107Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mitigation"
],
"url": "https://ofbiz.apache.org/download.html"
},
{
"tags": [
"related"
],
"url": "https://ofbiz.apache.org/security.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/OFBIZ-13006"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/05/09/1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache OFBiz: Path traversal leading to RCE",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-32113",
"datePublished": "2024-05-08T14:50:07.272Z",
"dateReserved": "2024-04-11T06:42:13.766Z",
"dateUpdated": "2025-10-21T23:05:18.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}