Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog Docs About Contact

apache ofbiz vulnerabilities and exploits

(subscribe to this query)
8.8
CVSSv3

CVE-2016-4462

By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to...
Apache Software Foundation Apache OfbizApache Ofbiz 11.04Apache Ofbiz 11.04.01Apache Ofbiz 11.04.02Apache Ofbiz 11.04.03Apache Ofbiz 11.04.04Apache Ofbiz 11.04.05Apache Ofbiz 11.04.06Apache Ofbiz 12.04Apache Ofbiz 12.04.01Apache Ofbiz 12.04.02Apache Ofbiz 12.04.03
6.1
CVSSv3

CVE-2016-6800

The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs which are related to specific parties. In the form field for the creation of new blog articles the user input of the summary field as well as the article...
Apache Software Foundation Apache OfbizApache Ofbiz 11.04Apache Ofbiz 11.04.01Apache Ofbiz 11.04.02Apache Ofbiz 11.04.03Apache Ofbiz 11.04.04Apache Ofbiz 11.04.05Apache Ofbiz 11.04.06Apache Ofbiz 12.04Apache Ofbiz 12.04.01Apache Ofbiz 12.04.02Apache Ofbiz 12.04.03
3.5
CVSSv2

CVE-2013-0177

Multiple cross-site scripting (XSS) vulnerabilities in widget/screen/ModelScreenWidget.java in Apache Open For Business Project (aka OFBiz) 10.04.x prior to 10.04.05, 11.04.01, and possibly 09.04.x allow remote authenticated users to inject arbitrary web script or HTML via the (1...
Apache Ofbiz 09.04Apache Ofbiz 09.04.01Apache Ofbiz 10.04Apache Ofbiz 10.04.01Apache Ofbiz 10.04.02Apache Ofbiz 10.04.03Apache Ofbiz 10.04.04Apache Ofbiz 11.04.01
4.3
CVSSv2

CVE-2013-2137

Cross-site scripting (XSS) vulnerability in the "View Log" screen in the Webtools application in Apache Open For Business Project (aka OFBiz) 10.04.01 up to and including 10.04.05, 11.04.01 up to and including 11.04.02, and 12.04.01 allows remote malicious users to inje...
Apache Ofbiz 10.04.01Apache Ofbiz 10.04.02Apache Ofbiz 10.04.03Apache Ofbiz 10.04.04Apache Ofbiz 10.04.05Apache Ofbiz 11.04.01Apache Ofbiz 11.04.02Apache Ofbiz 12.04.01
10
CVSSv2

CVE-2013-2250

Apache Open For Business Project (aka OFBiz) 10.04.01 up to and including 10.04.05, 11.04.01 up to and including 11.04.02, and 12.04.01 allows remote malicious users to execute arbitrary Unified Expression Language (UEL) functions via JUEL metacharacters in unspecified parameters...
Apache Ofbiz 10.04.01Apache Ofbiz 10.04.02Apache Ofbiz 10.04.03Apache Ofbiz 10.04.04Apache Ofbiz 10.04.05Apache Ofbiz 11.04.01Apache Ofbiz 11.04.02Apache Ofbiz 12.04.01
4.3
CVSSv2

CVE-2014-0232

Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 prior to 11.04.05 and 12.04.01 prior to 12.04.04 allow remote malicious users to inject arbitrary web script or HTML via unspecified vectors, which are...
Apache Ofbiz 12.04.01Apache Ofbiz 12.04.02Apache Ofbiz 12.04.03Apache Ofbiz 11.04.01Apache Ofbiz 11.04.02Apache Ofbiz 11.04.03Apache Ofbiz 11.04.04
6.1
CVSSv3

CVE-2015-3268

Cross-site scripting (XSS) vulnerability in the DisplayEntityField.getDescription method in ModelFormField.java in Apache OFBiz prior to 12.04.06 and 13.07.x prior to 13.07.03 allows remote malicious users to inject arbitrary web script or HTML via the description attribute of a ...
Apache Ofbiz 12.04.01Apache Ofbiz 12.04.02Apache Ofbiz 12.04.03Apache Ofbiz 12.04.04Apache Ofbiz 12.04.05Apache Ofbiz 13.07.01Apache Ofbiz 13.07.02
9.8
CVSSv3

CVE-2017-15714

The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed. This allows for code injection by passing that code through the URL. For example by appending this code "__format=%27;alert(%27xss%27)" to the URL an alert window would exec...
Apache Ofbiz 16.11.01Apache Ofbiz 16.11.02Apache Ofbiz 16.11.03
10
CVSSv2

CVE-2012-3506

Unspecified vulnerability in the Apache Open For Business Project (aka OFBiz) 10.04.x prior to 10.04.03 has unknown impact and attack vectors.
Apache Ofbiz 10.04.01Apache Ofbiz 10.04.02
6.1
CVSSv3

CVE-2020-1943

Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07.
Apache Apache OfbizApache Ofbiz
Preferred Score:
CVSSv4
CVSSv2
CVSSv3
CVSSv4
EPSS
VMScore
Recommendations:
adp application developer platform 应用开发者平台type confusionflirCVE-2025-6268overflowdir-825CVE-2025-6018CVE-2025-2783CVE-2025-6292webassemblyauthentication bypassCVE-2025-4479CVE-2025-6306
Home
/
Search Results
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook