Apache Ofbiz vulnerabilities

CVE-2022-29063 [CRITICAL] CWE-502 CVE-2022-29063: The Solr plugin of Apache OFBiz is configured by default to automatically make a RMI request on loca The Solr plugin of Apache OFBiz is configured by default to automatically make a RMI request on localhost, port 1099. In version 18.12.05 and earlier, by hosting a malicious RMI server on localhost, an attacker may exploit this behavior, at server start-up or on a server restart, in order to run arbitrary code. Upgrade to at least 18.12.06 or appl

CVE-2022-25813 [HIGH] CWE-1336 CVE-2022-25813: In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecomm In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible.

CVE-2022-29158 [HIGH] CWE-1333 CVE-2022-29158: Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599

CVE-2022-25370 [MEDIUM] CWE-79 CVE-2022-25370: Apache OFBiz uses the Birt plugin (https://eclipse.github.io/birt-website/) to create data visualiza Apache OFBiz uses the Birt plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. In Apache OFBiz release 18.12.05, and earlier versions, by leveraging a vulnerability in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142), an unauthenticated malicious user could perform a stored XSS attack in order to inj

CVE-2021-25958 [HIGH] CWE-209 CVE-2021-25958: In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info which may aid the attacker for further recon. A user can register with a very long password, but when he tries to login with it an exception occurs.

CVE-2021-37608 [CRITICAL] CWE-434 CVE-2021-37608: Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands. This issue affects Apache OFBiz version 17.12.07 and prior versions. Upgrade to at least 17.12.08 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12297.

CVE-2021-29200 [CRITICAL] CWE-502 CVE-2021-29200: Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perfor Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack

CVE-2021-30128 [CRITICAL] CWE-502 CVE-2021-30128: Apache OFBiz has unsafe deserialization prior to 17.12.07 version Apache OFBiz has unsafe deserialization prior to 17.12.07 version

CVE-2021-26295 [CRITICAL] CWE-502 CVE-2021-26295: Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.

CVE-2020-9496 [MEDIUM] CWE-79 CVE-2020-9496: XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache O XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03

CVE-2020-13923 [MEDIUM] CWE-639 CVE-2020-13923: IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 1 IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04

CVE-2019-12425 [HIGH] CWE-74 CVE-2019-12425: Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host

CVE-2019-0235 [HIGH] CWE-352 CVE-2019-0235: Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks. Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks.

CVE-2020-1943 [MEDIUM] CWE-79 CVE-2020-1943: Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 1 Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07.

CVE-2019-12426 [MEDIUM] CVE-2019-12426: an unauthenticated user could get access to information of some backend screens by invoking setSessi an unauthenticated user could get access to information of some backend screens by invoking setSessionLocale in Apache OFBiz 16.11.01 to 16.11.06

CVE-2011-3600 [HIGH] CWE-611 CVE-2011-3600: The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity I The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figure out from returned error messages whether a file exists o

CVE-2019-10074 [CRITICAL] CWE-74 CVE-2019-10074: An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Up

CVE-2018-17200 [CRITICAL] CVE-2018-17200: The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. This service takes the `serviceContent` parameter in the request and deserializes it using XStream. This `XStream` instance is slightly guarded by disabling the creation of `ProcessBuilder`. Howev

CVE-2019-0189 [CRITICAL] CWE-502 CVE-2019-0189: The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is expose The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is passed to the "deserialize" method of "XmlSerializer". Apache Ofbiz is affe

CVE-2019-10073 [MEDIUM] CWE-79 CVE-2019-10073: The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache OFBiz are weak to Stored XSS attacks. Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16.11: 1858438, 1858543, 1860595 and 1860616