Apache: >> Ofbiz >> 12.04.03 Security Vulnerabilities
Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands. This issue affects Apache OFBiz version 17.12.07 and prior versions. Upgrade to at least 17.12.08 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12297.
CVSS Score
9.8
EPSS Score
0.052
Published
2021-08-18
Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack
CVSS Score
9.8
EPSS Score
0.93
Published
2021-04-27
Apache OFBiz has unsafe deserialization prior to 17.12.07 version
CVSS Score
9.8
EPSS Score
0.934
Published
2021-04-27
Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.
CVSS Score
9.8
EPSS Score
0.943
Published
2021-03-22
IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04
CVSS Score
5.3
EPSS Score
0.025
Published
2020-07-15
By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01
CVSS Score
8.8
EPSS Score
0.01
Published
2017-08-30
The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs which are related to specific parties. In the form field for the creation of new blog articles the user input of the summary field as well as the article field is not properly sanitized. It is possible to inject arbitrary JavaScript code in these form fields. This code gets executed from the browser of every user who is visiting this article. Mitigation: Upgrade to Apache OFBiz 16.11.01.
CVSS Score
6.1
EPSS Score
0.023
Published
2017-08-30
Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.
CVSS Score
9.8
EPSS Score
0.118
Published
2016-04-12
Cross-site scripting (XSS) vulnerability in the DisplayEntityField.getDescription method in ModelFormField.java in Apache OFBiz before 12.04.06 and 13.07.x before 13.07.03 allows remote attackers to inject arbitrary web script or HTML via the description attribute of a display-entity element.
CVSS Score
6.1
EPSS Score
0.065
Published
2016-04-12
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1) result or (2) error message.
CVSS Score
4.3
EPSS Score
0.087
Published
2014-08-22