[ANNOUNCE] Apache OFBiz 17.12 End-Of-Life (EOL) announcement

The Apache OFBiz Project Team would like to inform you that OFBiz 17.12.09 is the last release of the 17.12 branch, which has reached its end of life and won't be longer officially supported. https://ofbiz.apache.org/release-notes-17.12.09.html This announcement takes place on 2022-01-21 and

[CVE-2021-37608] Arbitrary file upload vulnerability in OFBiz

Severity: High, possible RCE Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 17.12.08 Description: Apache OFBiz has unsafe deserialization prior to 17.12.08 version Mitigation: Upgrade to at least 17.12.08 or apply patches at

[CVE-2021-30128] Unsafe deserialization in OFBiz

Severity: High, possible RCE Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 17.12.07 Description: Apache OFBiz has unsafe deserialization prior to 17.12.07 version Mitigation: Upgrade to at least 17.12.07 or apply patches at

[CVE-2021-29200] RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI

Severity: High, possible RCE Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 17.12.07 Description: Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform a RCE attack Mitigation: Upgrade to at least 17.12.07 or

Subject: [CVE-2021-26295] RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI

Severity: High Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 17.12.06 Description: Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz. Mitigation: Upgrade

[CVE-2020-13923] IDOR in Apache OFBiz

Severity: Important Vendor: The Apache Software Foundation Versions Affected: All versions < 17.12.04 Description: IDOR vulnerability in the order processing feature from ecommerce component. Mitigation: Upgrade to 17.12.04 or manually apply the commit at OFBIZ-11836 Credit: Harshit

[CVE-2020-9496] Apache OFBiz XML-RPC requests vulnerable without authentication

Severity: Important Vendor: The Apache Software Foundation Versions Affected: OFBiz 17.12.03 Description: Apache OFBiz XML-RPC request are  vulnerable to unsafe deserialization and Cross-Site Scripting issues. Mitigation: Upgrade to 17.12.04 or manually apply the commit at OFBIZ-11716

[CVE-2019-0235 ] Apache OFBiz multiple CSRF vulnerabilities

Severity: Important Vendor: The Apache Software Foundation Versions Affected: OFBiz 17.12.01 Description: Apache OFBiz is vulnerable to CSRF attacks Mitigation: Upgrade to 17.12.03 or manually apply the commits at OFBIZ-11470 Credit: Initially known by the OFBiz security team

[CVE-2019-12425] Apache OFBiz Host Header Injection

Severity: Important Vendor: The Apache Software Foundation Versions Affected: OFBiz 17.12.01 Description: Apache OFBiz is vulnerable to Host header injection by accepting arbitrary hosts Mitigation: Upgrade to 17.12.03 or manually apply the commit at OFBIZ-11583 Credit: Pradeep

[CVE-2019-0235 ] Apache OFBiz multiple CSRF vulnerabilities

Severity: Important Vendor: The Apache Software Foundation Versions Affected: OFBiz 17.12.01 Description: Apache OFBiz is vulnerable to CSRF attacks Mitigation: Upgrade to 17.12.03 or manually apply the commits at OFBIZ-11470 Credit: Initially known by the OFBiz security team