Vulnerabilities > Apache > Ofbiz
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-09-11 | CVE-2018-17200 | Unspecified vulnerability in Apache Ofbiz The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. | 9.8 |
| 2018-12-13 | CVE-2018-8033 | Information Exposure vulnerability in Apache Ofbiz In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. | 7.5 |
| 2018-01-04 | CVE-2017-15714 | Injection vulnerability in Apache Ofbiz 16.11.01/16.11.02/16.11.03 The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed. | 9.8 |
| 2017-10-26 | CVE-2012-1622 | Unspecified vulnerability in Apache Ofbiz 10.04 Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors. | 9.8 |
| 2017-08-30 | CVE-2016-6800 | Cross-site Scripting vulnerability in Apache Ofbiz The default configuration of the Apache OFBiz framework offers a blog functionality. | 6.1 |
| 2017-08-30 | CVE-2016-4462 | Improper Input Validation vulnerability in Apache Ofbiz By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. | 8.8 |
| 2016-04-12 | CVE-2016-2170 | Improper Input Validation vulnerability in Apache Ofbiz Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library. | 9.8 |
| 2016-04-12 | CVE-2015-3268 | Cross-site Scripting vulnerability in Apache Ofbiz Cross-site scripting (XSS) vulnerability in the DisplayEntityField.getDescription method in ModelFormField.java in Apache OFBiz before 12.04.06 and 13.07.x before 13.07.03 allows remote attackers to inject arbitrary web script or HTML via the description attribute of a display-entity element. | 6.1 |