Vulnerabilities > Apache > Ofbiz > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-02-29 CVE-2024-23946 Unrestricted Upload of File with Dangerous Type vulnerability in Apache Ofbiz
Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue.
network
low complexity
apache CWE-434
5.3
2023-11-07 CVE-2023-46819 Missing Authentication for Critical Function vulnerability in Apache Ofbiz
Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin. This issue affects Apache OFBiz: before 18.12.09.  Users are recommended to upgrade to version 18.12.09
network
low complexity
apache CWE-306
5.3
2021-08-30 CVE-2021-25958 Information Exposure Through an Error Message vulnerability in Apache Ofbiz
In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info which may aid the attacker for further recon.
network
low complexity
apache CWE-209
5.0
2020-07-15 CVE-2020-9496 Deserialization of Untrusted Data vulnerability in Apache Ofbiz 17.12.03
XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03
network
low complexity
apache CWE-502
6.1
2020-07-15 CVE-2020-13923 Authorization Bypass Through User-Controlled Key vulnerability in Apache Ofbiz
IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04
network
low complexity
apache CWE-639
5.3
2020-04-01 CVE-2020-1943 Cross-site Scripting vulnerability in Apache Ofbiz
Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07.
network
low complexity
apache CWE-79
6.1
2020-02-06 CVE-2019-12426 Unspecified vulnerability in Apache Ofbiz
an unauthenticated user could get access to information of some backend screens by invoking setSessionLocale in Apache OFBiz 16.11.01 to 16.11.06
network
low complexity
apache
5.3
2019-09-11 CVE-2019-10073 Cross-site Scripting vulnerability in Apache Ofbiz
The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" application bundled in Apache OFBiz are weak to Stored XSS attacks.
network
low complexity
apache CWE-79
6.1
2017-08-30 CVE-2016-6800 Cross-site Scripting vulnerability in Apache Ofbiz
The default configuration of the Apache OFBiz framework offers a blog functionality.
network
low complexity
apache CWE-79
6.1
2016-04-12 CVE-2015-3268 Cross-site Scripting vulnerability in Apache Ofbiz
Cross-site scripting (XSS) vulnerability in the DisplayEntityField.getDescription method in ModelFormField.java in Apache OFBiz before 12.04.06 and 13.07.x before 13.07.03 allows remote attackers to inject arbitrary web script or HTML via the description attribute of a display-entity element.
network
apache CWE-79
4.3