Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Ofbiz
(Apache)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 48 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-09-11 | CVE-2019-10073 | The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache OFBiz are weak to Stored XSS attacks. Mitigation: Upgrade to 16.11.06 or manually apply the following commits on branch 16.11: 1858438, 1858543, 1860595 and 1860616 | Ofbiz | 6.1 | ||
| 2019-09-11 | CVE-2019-10074 | An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533 | Ofbiz | 9.8 | ||
| 2020-02-06 | CVE-2019-12426 | an unauthenticated user could get access to information of some backend screens by invoking setSessionLocale in Apache OFBiz 16.11.01 to 16.11.06 | Ofbiz | 5.3 | ||
| 2020-04-01 | CVE-2020-1943 | Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07. | Ofbiz | 6.1 | ||
| 2020-04-30 | CVE-2019-0235 | Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks. | Ofbiz | 8.8 | ||
| 2020-04-30 | CVE-2019-12425 | Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host | Ofbiz | 7.5 | ||
| 2020-07-15 | CVE-2020-13923 | IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04 | Ofbiz | 5.3 | ||
| 2020-07-15 | CVE-2020-9496 | XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03 | Ofbiz | 6.1 | ||
| 2021-03-22 | CVE-2021-26295 | Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz. | Ofbiz | 9.8 | ||
| 2021-04-27 | CVE-2021-29200 | Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack | Ofbiz | 9.8 |