Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Ofbiz
APPApache< 18.12.15
CISA KEV — detailsi
- Vendori
- Apache ↗
- Producti
- OFBiz
- Added to KEVi
- August 27, 2024
- Remediation deadline (US Federal)i
- September 17, 2024(overdue)
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker.
Related vulnerabilities
Path Traversal w Apache OFBiz umożliwiający zdalne wykonanie kodu
Apache OFBiz — użycie zakodowanego na stałe klucza kryptograficznego
Apache OFBiz — Auth Bypass i RCE poprzez błąd logiki zmiany hasła
LDAP Injection w Apache OFBiz umożliwiający nieautoryzowany dostęp
Apache OFBiz: Code Injection w pluginie scrum umożliwia RCE