Vulnerabilities > Apache > Ofbiz > 16.11.02
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-07-15 | CVE-2020-13923 | Authorization Bypass Through User-Controlled Key vulnerability in Apache Ofbiz IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04 | 5.3 |
| 2020-04-01 | CVE-2020-1943 | Cross-site Scripting vulnerability in Apache Ofbiz Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07. | 6.1 |
| 2020-02-06 | CVE-2019-12426 | Unspecified vulnerability in Apache Ofbiz an unauthenticated user could get access to information of some backend screens by invoking setSessionLocale in Apache OFBiz 16.11.01 to 16.11.06 | 5.3 |
| 2019-11-26 | CVE-2011-3600 | XXE vulnerability in Apache Ofbiz The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. | 7.5 |
| 2019-09-11 | CVE-2019-10074 | Improper Encoding or Escaping of Output vulnerability in Apache Ofbiz An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. | 9.8 |
| 2019-09-11 | CVE-2019-10073 | Cross-site Scripting vulnerability in Apache Ofbiz The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache OFBiz are weak to Stored XSS attacks. | 6.1 |
| 2019-09-11 | CVE-2019-0189 | Deserialization of Untrusted Data vulnerability in Apache Ofbiz The java.io.ObjectInputStream is known to cause Java serialisation issues. | 9.8 |
| 2019-09-11 | CVE-2018-17200 | Unspecified vulnerability in Apache Ofbiz The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. | 9.8 |
| 2018-12-13 | CVE-2018-8033 | Information Exposure vulnerability in Apache Ofbiz In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. | 7.5 |
| 2018-01-04 | CVE-2017-15714 | Injection vulnerability in Apache Ofbiz 16.11.01/16.11.02/16.11.03 The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed. | 9.8 |