Apache Ofbiz vulnerabilities

CVE-2022-25370 [MEDIUM] CWE-79 CVE-2022-25370: Apache OFBiz uses the Birt plugin (https://eclipse.github.io/birt-website/) to create data visualiza Apache OFBiz uses the Birt plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. In Apache OFBiz release 18.12.05, and earlier versions, by leveraging a vulnerability in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142), an unauthenticated malicious user could perform a stored XSS attack in order to inj

CVE-2021-25958 [HIGH] CWE-209 CVE-2021-25958: In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info which may aid the attacker for further recon. A user can register with a very long password, but when he tries to login with it an exception occurs.

CVE-2021-37608 [CRITICAL] CWE-434 CVE-2021-37608: Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands. This issue affects Apache OFBiz version 17.12.07 and prior versions. Upgrade to at least 17.12.08 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12297.

CVE-2021-29200 [CRITICAL] CWE-502 CVE-2021-29200: Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perfor Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack

CVE-2021-30128 [CRITICAL] CWE-502 CVE-2021-30128: Apache OFBiz has unsafe deserialization prior to 17.12.07 version Apache OFBiz has unsafe deserialization prior to 17.12.07 version

CVE-2021-26295 [CRITICAL] CWE-502 CVE-2021-26295: Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.

CVE-2020-9496 [MEDIUM] CWE-79 CVE-2020-9496: XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache O XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03

CVE-2020-13923 [MEDIUM] CWE-639 CVE-2020-13923: IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 1 IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04

CVE-2019-0235 [HIGH] CWE-352 CVE-2019-0235: Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks. Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks.

CVE-2019-12425 [HIGH] CWE-74 CVE-2019-12425: Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host

CVE-2020-1943 [MEDIUM] CWE-79 CVE-2020-1943: Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 1 Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07.

CVE-2019-12426 [MEDIUM] CVE-2019-12426: an unauthenticated user could get access to information of some backend screens by invoking setSessi an unauthenticated user could get access to information of some backend screens by invoking setSessionLocale in Apache OFBiz 16.11.01 to 16.11.06

CVE-2011-3600 [HIGH] CWE-611 CVE-2011-3600: The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity I The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figure out from returned error messages whether a file exists o

CVE-2019-0189 [CRITICAL] CWE-502 CVE-2019-0189: The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is expose The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is passed to the "deserialize" method of "XmlSerializer". Apache Ofbiz is affe

CVE-2018-17200 [CRITICAL] CVE-2018-17200: The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. This service takes the `serviceContent` parameter in the request and deserializes it using XStream. This `XStream` instance is slightly guarded by disabling the creation of `ProcessBuilder`. Howev

CVE-2019-10074 [CRITICAL] CWE-74 CVE-2019-10074: An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Up

CVE-2019-10073 [MEDIUM] CWE-79 CVE-2019-10073: The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache OFBiz are weak to Stored XSS attacks. Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16.11: 1858438, 1858543, 1860595 and 1860616

CVE-2018-8033 [HIGH] CWE-200 CVE-2018-8033: In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEng In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitation occurs by havi

CVE-2017-15714 [CRITICAL] CWE-74 CVE-2017-15714: The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed. Thi The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed. This allows for code injection by passing that code through the URL. For example by appending this code "__format=%27;alert(%27xss%27)" to the URL an alert window would execute.

CVE-2012-1622 [CRITICAL] CVE-2012-1622: Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecifi Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors.