Home/Product/apache ofbiz
Product

apache ofbiz

57 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2025-61623
< 24.09.03
Reflected cross-site scripting vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recomm
6.5MEDIUM
 CVE-2025-59118
< 24.09.03
Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03.
7.3HIGH
 CVE-2025-54466
< 24.09.02
Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.
9.8CRITICAL
 CVE-2025-30676
< 18.12.19
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz. This issue affects A
6.1MEDIUM
 CVE-2025-26865
all versions
Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OF
3.5LOW
 CVE-2024-48962
< 18.12.17
Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special
8.8HIGH
 CVE-2024-47208
< 18.12.17
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This
9.8CRITICAL
 CVE-2024-45507
< 18.12.16
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This
9.8CRITICAL
 CVE-2024-45195
< 18.12.16
Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are re
7.5HIGH
 CVE-2024-38856
< 18.12.15
Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended
9.8CRITICAL
 CVE-2024-36104
< 18.12.14
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects
9.1CRITICAL
 CVE-2024-32113
< 18.12.13
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Ap
9.8CRITICAL
 CVE-2024-25065
< 18.12.12
Possible path traversal in Apache OFBiz allowing authentication bypass. Users are recommended to upgrade to version 18.12.12, that
9.1CRITICAL
 CVE-2024-23946
< 18.12.12
Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes
5.3MEDIUM
 CVE-2023-51467
< 18.12.11
The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code
9.8CRITICAL
 CVE-2023-50968
< 18.12.11
Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without
7.5HIGH
 CVE-2023-49070
< 18.12.10
Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz:
9.8CRITICAL
 CVE-2023-46819
< 18.12.09
Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin. This issue affects Apache OFBiz: bef
5.3MEDIUM
 CVE-2022-47501
< 18.12.07
Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a pre-authen
7.5HIGH
 CVE-2022-29158
< 18.12.06
Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provi
7.5HIGH
 CVE-2022-29063
< 18.12.06
The Solr plugin of Apache OFBiz is configured by default to automatically make a RMI request on localhost, port 1099. In version 1
9.8CRITICAL
 CVE-2022-25813
< 18.12.06
In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a mali
7.5HIGH
 CVE-2022-25371
< 18.12.06
Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. By
9.8CRITICAL
 CVE-2022-25370
< 18.12.06
Apache OFBiz uses the Birt plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. In Apache O
5.4MEDIUM
 CVE-2021-25958
>= 17.12.01 and < 17.12.08
In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks
6.5MEDIUM
 CVE-2021-37608
< 17.12.08
Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz allows an attacker to execute remote commands. This
9.8CRITICAL
 CVE-2021-30128
< 17.12.07
Apache OFBiz has unsafe deserialization prior to 17.12.07 version
9.8CRITICAL
 CVE-2021-29200
< 17.12.07
Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack
9.8CRITICAL
 CVE-2021-26295
< 17.12.06
Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully
9.8CRITICAL
 CVE-2020-9496
all versions
XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03
6.1MEDIUM
 CVE-2020-13923
< 17.12.04
IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04
5.3MEDIUM
 CVE-2019-12425
all versions
Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host
7.5HIGH
 CVE-2019-0235
all versions
Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks.
8.8HIGH
 CVE-2020-1943
>= 16.11.01 and <= 16.11.07
Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07.
6.1MEDIUM
 CVE-2019-12426
>= 16.11.01 and <= 16.11.06
an unauthenticated user could get access to information of some backend screens by invoking setSessionLocale in Apache OFBiz 16.11
5.3MEDIUM
 CVE-2011-3600
>= 16.11.01 and <= 16.11.04
The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE de
7.5HIGH
 CVE-2019-10074
>= 16.11.01 and <= 16.11.05
An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on
9.8CRITICAL
 CVE-2019-10073
>= 16.11.01 and <= 16.11.05
The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache OFBiz are weak to Stored XSS a
6.1MEDIUM
 CVE-2019-0189
>= 16.11.01 and < 16.11.06
The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/htt
9.8CRITICAL
 CVE-2018-17200
>= 16.11.01 and <= 16.11.05
The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtool
9.8CRITICAL
 CVE-2018-8033
>= 16.11.01 and <= 16.11.04
In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for
7.5HIGH
 CVE-2017-15714
all versions
The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed. This allows for code injection by
9.8CRITICAL
 CVE-2012-1622
all versions
Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors.
9.8CRITICAL
 CVE-2016-6800
all versions
The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs whi
6.1MEDIUM
 CVE-2016-4462
all versions
By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Temp
8.8HIGH
 CVE-2016-2170
>= 12.04 and < 12.04.06
Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow remote attackers to execute arbitrary commands via a crafte
9.8CRITICAL
 CVE-2015-3268
all versions
Cross-site scripting (XSS) vulnerability in the DisplayEntityField.getDescription method in ModelFormField.java in Apache OFBiz be
6.1MEDIUM
 CVE-2014-0232
all versions
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 b
 CVE-2012-1621
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.02 allow
 CVE-2013-0177
all versions
Multiple cross-site scripting (XSS) vulnerabilities in widget/screen/ModelScreenWidget.java in Apache Open For Business Project (a
 CVE-2013-2250
all versions
Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote atta
 CVE-2013-2137
all versions
Cross-site scripting (XSS) vulnerability in the "View Log" screen in the Webtools application in Apache Open For Business Project
 CVE-2012-3506
all versions
Unspecified vulnerability in the Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.03 has unknown impact and attac
 CVE-2010-0432
<= 09.04
Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 09.04 and earlier, as used
 CVE-2006-6589
all versions
Cross-site scripting (XSS) vulnerability in ecommerce/control/keywordsearch in the Apache Open For Business Project (OFBiz) and Op
 CVE-2006-6588
all versions
The forum implementation in the ecommerce component in the Apache Open For Business Project (OFBiz) trusts the (1) dataResourceTyp
 CVE-2006-6587
all versions
Cross-site scripting (XSS) vulnerability in the forum implementation in the ecommerce component in the Apache Open For Business Pr
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin