⚠ Actively exploited
Added to CISA KEV on 2025-02-04. Federal agencies required to patch by 2025-02-25. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2024-45195

CWE-4259 documents9 sources
Severity
7.5HIGH
EPSS
94.1%
top 0.08%
CISA KEV
KEV
Added 2025-02-04
Due 2025-02-25
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache Software Foundation Apache OfbizApache Ofbiz
Timeline
PublishedSep 4
KEV addedFeb 4
KEV dueFeb 25
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDapache/ofbiz< 18.12.16

🔴Vulnerability Details

3
CVEList
Apache OFBiz: Confused controller-view authorization logic (forced browsing)2024-09-04
GHSA
GHSA-hrmf-4pvg-rf3x: Direct Request ('Forced Browsing') vulnerability in Apache OFBiz2024-09-04
VulnCheck
Apache OFBiz Forced Browsing Vulnerability2024

💥Exploits & PoCs

1
Nuclei
Apache OFBiz - Remote Code Execution

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS Apache OFBiz Server-Side Request Forgery (CVE-2024-45195)2024-10-01

📋Vendor Advisories

2
CISA
Apache OFBiz Forced Browsing Vulnerability2025-02-04
Apache
Apache ofbiz: CVE-2024-45195
CVE-2024-45195 (HIGH CVSS 7.5) | Direct Request ('Forced Browsing') | cvebase.io