Published: 13/12/2018 Updated: 07/11/2023

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 446

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitation occurs by having DOCTYPEs pointing to external references that trigger a payload that returns secret information from the host.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache ofbiz

xray poc 扫描器

简介 xray poc 发生了一次改版。导致之前的poc引擎不能使用。正好之前工作做过这方面的工作，重新写了一版xray poc v2版本的poc解析工具。 xray v2版格式：docsxraycool/#/guide/poc/v2 特此开源出来，希望能和研究这方面技术的师傅多交流。使用编译 go build -x -ldflags "-s -w" -o xray_poc

XXE injection (file disclosure) exploit for Apache OFBiz < 16.11.04

Apache OFBiz XXE XXE injection (file disclosure) exploit for Apache OFBiz < 161104 Information Apache OFBiz, before version 161104, contains two distinct XXE injection vulnerabilities The public disclosures for each vulnerability can be found below: [1] seclistsorg/oss-sec/2018/q4/12 [2] seclistsorg/oss-sec/2018/q4/13 This exploit targets the vul

CWE-200 https://lists.apache.org/thread.html/e8fb551e86e901932081f81ee9985bb72052b4d412f23d89b1282777%40%3Cuser.ofbiz.apache.org%3E https://nvd.nist.gov https://github.com/h1iba1/xray-poc-scan-engine

CVE-2018-8033

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect