English
Français
Light
Dark
System

Alert System

Stay informed at all times
Create an account Open a free account Login Manage your alerts

Apache Software Foundation OFBiz 10.04.04

CPE Details

Apache Software Foundation OFBiz 10.04.04
apache
ofbiz
10.04.04
2018-04-12 16:32 +00:00
2018-04-12 16:32 +00:00
CPE NVD

Alerte pour un CPE

Stay informed of any changes for a specific CPE.
Alert management

CPE Name: cpe:2.3:a:apache:ofbiz:10.04.04:*:*:*:*:*:*:*

Informations

Vendor

apache

Product

ofbiz

Version

10.04.04

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2024-23946 2024-02-28 15:44 +00:00 Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue.
5.3
MEDIUM
CVE-2023-51467 2023-12-26 14:46 +00:00 The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code
9.8
CRITICAL
CVE-2023-50968 2023-12-26 11:45 +00:00 Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.
7.5
HIGH
CVE-2023-49070 2023-12-05 08:05 +00:00 Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10.  Users are recommended to upgrade to version 18.12.10
9.8
CRITICAL
CVE-2023-46819 2023-11-07 11:02 +00:00 Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin. This issue affects Apache OFBiz: before 18.12.09.  Users are recommended to upgrade to version 18.12.09
5.3
MEDIUM
CVE-2022-47501 2023-04-14 15:01 +00:00 Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a  pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.
7.5
HIGH
CVE-2006-6588 2022-10-03 14:21 +00:00 The forum implementation in the ecommerce component in the Apache Open For Business Project (OFBiz) trusts the (1) dataResourceTypeId, (2) contentTypeId, and certain other hidden form fields, which allows remote attackers to create unauthorized types of content, modify content, or have other unknown impact.
7.5
CVE-2022-29158 2022-09-02 05:10 +00:00 Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599
7.5
HIGH
CVE-2022-29063 2022-09-02 05:10 +00:00 The Solr plugin of Apache OFBiz is configured by default to automatically make a RMI request on localhost, port 1099. In version 18.12.05 and earlier, by hosting a malicious RMI server on localhost, an attacker may exploit this behavior, at server start-up or on a server restart, in order to run arbitrary code. Upgrade to at least 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12646.
9.8
CRITICAL
CVE-2022-25813 2022-09-02 05:10 +00:00 In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible.
7.5
HIGH
CVE-2022-25371 2022-09-02 05:10 +00:00 Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. By leveraging a bug in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142) it is possible to perform a remote code execution (RCE) attack in Apache OFBiz, release 18.12.05 and earlier.
9.8
CRITICAL
CVE-2022-25370 2022-09-02 05:10 +00:00 Apache OFBiz uses the Birt plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. In Apache OFBiz release 18.12.05, and earlier versions, by leveraging a vulnerability in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142), an unauthenticated malicious user could perform a stored XSS attack in order to inject a malicious payload and execute it using the stored XSS.
5.4
MEDIUM
CVE-2021-37608 2021-08-18 05:50 +00:00 Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands. This issue affects Apache OFBiz version 17.12.07 and prior versions. Upgrade to at least 17.12.08 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12297.
9.8
CRITICAL
CVE-2021-30128 2021-04-27 17:50 +00:00 Apache OFBiz has unsafe deserialization prior to 17.12.07 version
9.8
CRITICAL
CVE-2021-29200 2021-04-27 17:50 +00:00 Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack
9.8
CRITICAL
CVE-2021-26295 2021-03-22 11:00 +00:00 Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.
9.8
CRITICAL
CVE-2020-13923 2020-07-15 13:38 +00:00 IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04
5.3
MEDIUM
CVE-2013-0177 2014-01-30 14:00 +00:00 Multiple cross-site scripting (XSS) vulnerabilities in widget/screen/ModelScreenWidget.java in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.05, 11.04.01, and possibly 09.04.x allow remote authenticated users to inject arbitrary web script or HTML via the (1) Screenlet.title or (2) Image.alt Widget attribute, as demonstrated by the parentPortalPageId parameter to exampleext/control/ManagePortalPages.
3.5
CVE-2013-2137 2013-08-15 14:00 +00:00 Cross-site scripting (XSS) vulnerability in the "View Log" screen in the Webtools application in Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
4.3
CVE-2013-2250 2013-08-15 14:00 +00:00 Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote attackers to execute arbitrary Unified Expression Language (UEL) functions via JUEL metacharacters in unspecified parameters, related to nested expressions.
10
CVE-2006-6587 2006-12-15 18:00 +00:00 Cross-site scripting (XSS) vulnerability in the forum implementation in the ecommerce component in the Apache Open For Business Project (OFBiz) allows remote attackers to inject arbitrary web script or HTML by posting a message.
6.8
CVE-2006-6589 2006-12-15 18:00 +00:00 Cross-site scripting (XSS) vulnerability in ecommerce/control/keywordsearch in the Apache Open For Business Project (OFBiz) and Opentaps 0.9.3 allows remote attackers to inject arbitrary web script or HTML via the SEARCH_STRING parameter, a different issue than CVE-2006-6587. NOTE: some of these details are obtained from third party information.
6.8

More information
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.