Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

apache ofbiz 16.11.01 vulnerabilities and exploits

(subscribe to this query)
7.5
CVSSv2
CVE-2017-15714
The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed. This allows for code injection by passing that code through the URL. For example by appending this code "__format=%27;alert(%27xss%27)" to the URL an alert window would exec...
Apache Ofbiz 16.11.02Apache Ofbiz 16.11.03Apache Ofbiz 16.11.01
6.5
CVSSv2
CVE-2016-4462
By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to...
Apache Ofbiz 13.07Apache Ofbiz 12.04.05Apache Ofbiz 12.04Apache Ofbiz 12.04.04Apache Ofbiz 12.04.01Apache Ofbiz 11.04.01Apache Ofbiz 12.04.02Apache Ofbiz 13.07.02Apache Ofbiz 12.04.06Apache Ofbiz 13.07.01Apache Ofbiz 11.04.04Apache Ofbiz 11.04.03Apache Ofbiz 11.04Apache Ofbiz 13.07.03Apache Ofbiz 11.04.06Apache Ofbiz 11.04.02Apache Ofbiz 11.04.05Apache Ofbiz 12.04.03
4.3
CVSSv2
CVE-2016-6800
The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs which are related to specific parties. In the form field for the creation of new blog articles the user input of the summary field as well as the article...
Apache Ofbiz 13.07Apache Ofbiz 12.04.05Apache Ofbiz 12.04Apache Ofbiz 12.04.04Apache Ofbiz 12.04.01Apache Ofbiz 11.04.01Apache Ofbiz 12.04.02Apache Ofbiz 13.07.02Apache Ofbiz 12.04.06Apache Ofbiz 13.07.01Apache Ofbiz 11.04.04Apache Ofbiz 11.04.03Apache Ofbiz 11.04Apache Ofbiz 13.07.03Apache Ofbiz 11.04.06Apache Ofbiz 11.04.02Apache Ofbiz 11.04.05Apache Ofbiz 12.04.03
4.3
CVSSv2
CVE-2020-1943
Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07.
Apache Ofbiz
5
CVSSv2
CVE-2019-12426
an unauthenticated user could get access to information of some backend screens by invoking setSessionLocale in Apache OFBiz 16.11.01 to 16.11.06
Apache Ofbiz
5
CVSSv2
CVE-2018-8033
In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: se...
Apache Ofbiz
5
CVSSv2
CVE-2011-3600
The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network...
Apache Ofbiz
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
race conditionCVE-2024-4249CVE-2024-4244CVE-2023-20198TCPCVE-2022-48648CVE-2022-48636CVE-2024-21345SQL
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook