Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
apache ofbiz vulnerabilities and exploits
(subscribe to this query)
383
VMScore
CVE-2019-10073
The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache OFBiz are weak to Stored XSS attacks. Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16.11: 1858438, 1858...
Apache Ofbiz
668
VMScore
CVE-2019-10074
An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled wit...
Apache Ofbiz
891
VMScore
CVE-2021-30128
Apache OFBiz has unsafe deserialization before 17.12.07 version
Apache Ofbiz
2 Github repositories
NA
CVE-2022-25371
Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. By leveraging a bug in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142) it is possible to perform a remote code execution (RCE) attack in Apac...
Apache Ofbiz
605
VMScore
CVE-2006-6587
Cross-site scripting (XSS) vulnerability in the forum implementation in the ecommerce component in the Apache Open For Business Project (OFBiz) allows remote malicious users to inject arbitrary web script or HTML by posting a message.
Apache Ofbiz
446
VMScore
CVE-2018-8033
In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: se...
Apache Ofbiz
3 Github repositories
445
VMScore
CVE-2010-0432
Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 09.04 and previous versions, as used in Opentaps, Neogia, and Entente Oya, allow remote malicious users to inject arbitrary web script or HTML via (1) the productStoreId parame...
Apache Ofbiz
3 EDB exploits
668
VMScore
CVE-2018-17200
The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. This service takes the `serviceContent` parameter in the request and deserializes it using XStream. This `XStream` ins...
Apache Ofbiz
668
VMScore
CVE-2006-6588
The forum implementation in the ecommerce component in the Apache Open For Business Project (OFBiz) trusts the (1) dataResourceTypeId, (2) contentTypeId, and certain other hidden form fields, which allows remote malicious users to create unauthorized types of content, modify cont...
Apache Ofbiz
668
VMScore
CVE-2019-0189
The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceC...
Apache Ofbiz
1 Github repository
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-3380
CVE-2024-1694
local file inclusion
CVE-2024-5645
CVE-2024-24919
XSS
CVE-2024-36774
CVE-2024-21306
SQL
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
NEXT »