Vulnerabilities > Apache > Ofbiz > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-02-29 | CVE-2024-23946 | Unrestricted Upload of File with Dangerous Type vulnerability in Apache Ofbiz Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue. | 5.3 |
| 2023-11-07 | CVE-2023-46819 | Missing Authentication for Critical Function vulnerability in Apache Ofbiz Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin. This issue affects Apache OFBiz: before 18.12.09. Users are recommended to upgrade to version 18.12.09 | 5.3 |
| 2022-09-02 | CVE-2022-25370 | Cross-site Scripting vulnerability in Apache Ofbiz Apache OFBiz uses the Birt plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. | 5.4 |
| 2020-07-15 | CVE-2020-9496 | Deserialization of Untrusted Data vulnerability in Apache Ofbiz 17.12.03 XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03 | 6.1 |
| 2020-07-15 | CVE-2020-13923 | Authorization Bypass Through User-Controlled Key vulnerability in Apache Ofbiz IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04 | 5.3 |
| 2020-04-01 | CVE-2020-1943 | Cross-site Scripting vulnerability in Apache Ofbiz Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07. | 6.1 |
| 2020-02-06 | CVE-2019-12426 | Unspecified vulnerability in Apache Ofbiz an unauthenticated user could get access to information of some backend screens by invoking setSessionLocale in Apache OFBiz 16.11.01 to 16.11.06 | 5.3 |
| 2019-09-11 | CVE-2019-10073 | Cross-site Scripting vulnerability in Apache Ofbiz The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache OFBiz are weak to Stored XSS attacks. | 6.1 |
| 2017-08-30 | CVE-2016-6800 | Cross-site Scripting vulnerability in Apache Ofbiz The default configuration of the Apache OFBiz framework offers a blog functionality. | 6.1 |
| 2016-04-12 | CVE-2015-3268 | Cross-site Scripting vulnerability in Apache Ofbiz Cross-site scripting (XSS) vulnerability in the DisplayEntityField.getDescription method in ModelFormField.java in Apache OFBiz before 12.04.06 and 13.07.x before 13.07.03 allows remote attackers to inject arbitrary web script or HTML via the description attribute of a display-entity element. | 6.1 |