Headline
Apache OFBiz 18.12.09 Remote Code Execution
Apache OFBiz version 18.12.09 suffers from a pre-authentication remote code execution vulnerability.
From: Jacques Le Roux <jleroux () apache org>Date: Mon, 04 Dec 2023 21:04:50 +0000Severity: moderateAffected versions:- Apache OFBiz before 18.12.10Description:Pre-auth RCE in Apache Ofbiz 18.12.09.It's due to XML-RPC no longer maintained still present.This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10This issue is being tracked as OFBIZ-12812 Credit:Siebene@ (finder)References:https://ofbiz.apache.org/download.htmlhttps://ofbiz.apache.org/security.htmlhttps://ofbiz.apache.org/release-notes-18.12.10.htmlhttps://ofbiz.apache.org/https://www.cve.org/CVERecord?id=CVE-2023-49070https://issues.apache.org/jira/browse/OFBIZ-12812-----Packet Storm NoteBelow is the proof of concept circulating on twitter:#POC: /webtools/control/xmlrpc;/?USERNAME=&PASSWORD=s&requirePasswordChange=Y
Related news
Cybersecurity researchers have developed a proof-of-concept (PoC) code that exploits a recently disclosed critical flaw in the Apache OfBiz open-source Enterprise Resource Planning (ERP) system to execute a memory-resident payload. The vulnerability in question is CVE-2023-51467 (CVSS score: 9.8), a bypass for another severe shortcoming in the same software (
A new zero-day security flaw has been discovered in the Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections. The vulnerability, tracked as CVE-2023-51467, resides in the login functionality and is the result of an incomplete patch for another critical vulnerability (CVE-2023-49070, CVSS score: 9.8) that was