Ofbiz

ofbiz

Vendor: Apache • 74 CVEs

CVEs (74)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-30676 1Apache 1Ofbiz Apr 29, 2025 Apr 1, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.19. Users are recommended to upgrade to version 18.12.19, which...Show more Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.19. Users are recommended to upgrade to version 18.12.19, which fixes the issue.Show less
CVE-2025-26865 1Apache 1Ofbiz Jun 23, 2025 Mar 10, 2025 N/A· v4 3.5 LOW· v3 N/A· v2 Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18. It's a regression between 18.12.17 and 18.12.18. In...Show more Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18. It's a regression between 18.12.17 and 18.12.18. In case you use something like that, which is not recommended! For security, only official releases should be used. In other words, if you use 18.12.17 you are still safe. The version 18.12.17 is not a affected. But something between 18.12.17 and 18.12.18 is. In that case, users are recommended to upgrade to version 18.12.18, which fixes the issue.Show less
CVE-2024-48962 1Apache 1Ofbiz Feb 11, 2025 Nov 18, 2024 8.9 HIGH· v4 8.8 HIGH· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apa...Show more Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue.Show less
CVE-2024-47208 1Apache 1Ofbiz Jun 24, 2025 Nov 18, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version...Show more Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue.Show less
CVE-2024-45507 1Apache 1Ofbiz Nov 21, 2024 Sep 4, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version...Show more Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.Show less
CVE-2024-45195 1Apache 1Ofbiz Oct 23, 2025 Sep 4, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.
CVE-2024-38856 1Apache 1Ofbiz Oct 23, 2025 Aug 5, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could al...Show more Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).Show less
CVE-2024-36104 1Apache 1Ofbiz Jul 1, 2025 Jun 4, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which...Show more Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue.Show less
CVE-2024-32113 1Apache 1Ofbiz Oct 23, 2025 May 8, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which...Show more Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue.Show less
CVE-2024-25065 1Apache 1Ofbiz May 5, 2025 Feb 29, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Possible path traversal in Apache OFBiz allowing authentication bypass. Users are recommended to upgrade to version 18.12.12, that fixes the issue.
CVE-2024-23946 1Apache 1Ofbiz Nov 21, 2024 Feb 29, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue.
CVE-2023-51467 1Apache 1Ofbiz Nov 21, 2024 Dec 26, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code
CVE-2023-50968 1Apache 1Ofbiz Nov 21, 2024 Dec 26, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without auth...Show more Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.Show less
CVE-2023-49070 1Apache 1Ofbiz Feb 13, 2025 Dec 5, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10
CVE-2023-46819 1Apache 1Ofbiz Nov 21, 2024 Nov 7, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin. This issue affects Apache OFBiz: before 18.12.09. Users are recommended to upgrade to version 18.12.09
CVE-2022-47501 1Apache 1Ofbiz Feb 13, 2025 Apr 14, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.
CVE-2022-29158 1Apache 1Ofbiz Nov 21, 2024 Sep 2, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://is...Show more Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599Show less
CVE-2022-29063 1Apache 1Ofbiz Nov 21, 2024 Sep 2, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Solr plugin of Apache OFBiz is configured by default to automatically make a RMI request on localhost, port 1099. In version 18.12.05 and earlier, by hosting a malicious RMI server on localhost, an attacker may explo...Show more The Solr plugin of Apache OFBiz is configured by default to automatically make a RMI request on localhost, port 1099. In version 18.12.05 and earlier, by hosting a malicious RMI server on localhost, an attacker may exploit this behavior, at server start-up or on a server restart, in order to run arbitrary code. Upgrade to at least 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12646.Show less
CVE-2022-25813 1Apache 1Ofbiz Nov 21, 2024 Sep 2, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manage...Show more In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible.Show less
CVE-2022-25371 1Apache 1Ofbiz Nov 21, 2024 Sep 2, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. By leveraging a bug in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142) it is poss...Show more Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. By leveraging a bug in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142) it is possible to perform a remote code execution (RCE) attack in Apache OFBiz, release 18.12.05 and earlier.Show less

Previous 123 4 Next