[CVE-2021-37608] Arbitrary file upload vulnerability in OFBiz

2021-08-11 Thread jler...@apache.org
Severity: High, possible RCE Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 17.12.08 Description: Apache OFBiz has unsafe deserialization prior to 17.12.08 version Mitigation: Upgrade to at least 17.12.08 or apply patches at

[CVE-2021-30128] Unsafe deserialization in OFBiz

2021-04-27 Thread jler...@apache.org
Severity: High, possible RCE Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 17.12.07 Description: Apache OFBiz has unsafe deserialization prior to 17.12.07 version Mitigation: Upgrade to at least 17.12.07 or apply patches at

[CVE-2021-29200] RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI

2021-04-27 Thread jler...@apache.org
Severity: High, possible RCE Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 17.12.07 Description: Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform a RCE attack Mitigation: Upgrade to at least 17.12.07 or

Subject: [CVE-2021-26295] RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI

2021-03-21 Thread jler...@apache.org
Severity: High Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 17.12.06 Description: Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz. Mitigation: Upgrade

[CVE-2020-13923] IDOR in Apache OFBiz

2020-07-15 Thread jler...@apache.org
Severity: Important Vendor: The Apache Software Foundation Versions Affected: All versions < 17.12.04 Description: IDOR vulnerability in the order processing feature from ecommerce component. Mitigation: Upgrade to 17.12.04 or manually apply the commit at OFBIZ-11836 Credit: Harshit

[CVE-2020-9496] Apache OFBiz XML-RPC requests vulnerable without authentication

2020-07-15 Thread jler...@apache.org
Severity: Important Vendor: The Apache Software Foundation Versions Affected: OFBiz 17.12.03 Description: Apache OFBiz XML-RPC request areĀ  vulnerable to unsafe deserialization and Cross-Site Scripting issues. Mitigation: Upgrade to 17.12.04 or manually apply the commit at OFBIZ-11716

[CVE-2019-0235 ] Apache OFBiz multiple CSRF vulnerabilities

2020-04-30 Thread jler...@apache.org
Severity: Important Vendor: The Apache Software Foundation Versions Affected: OFBiz 17.12.01 Description: Apache OFBiz is vulnerable to CSRF attacks Mitigation: Upgrade to 17.12.03 or manually apply the commits at OFBIZ-11470 Credit: Initially known by the OFBiz security team

[CVE-2019-12425] Apache OFBiz Host Header Injection

2020-04-30 Thread jler...@apache.org
Severity: Important Vendor: The Apache Software Foundation Versions Affected: OFBiz 17.12.01 Description: Apache OFBiz is vulnerable to Host header injection by accepting arbitrary hosts Mitigation: Upgrade to 17.12.03 or manually apply the commit at OFBIZ-11583 Credit: Pradeep

[CVE-2019-0235 ] Apache OFBiz multiple CSRF vulnerabilities

2020-04-30 Thread jler...@apache.org
Severity: Important Vendor: The Apache Software Foundation Versions Affected: OFBiz 17.12.01 Description: Apache OFBiz is vulnerable to CSRF attacks Mitigation: Upgrade to 17.12.03 or manually apply the commits at OFBIZ-11470 Credit: Initially known by the OFBiz security team