Incorrect Authorization vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: through 18.12.14.
Users are recommended to upgrade to version 18.12.15, which fixes the issue.
Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
References
Link | Resource |
---|---|
https://issues.apache.org/jira/browse/OFBIZ-13128 | Issue Tracking |
https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w | Mailing List Vendor Advisory |
https://ofbiz.apache.org/download.html | Product |
https://ofbiz.apache.org/security.html | Vendor Advisory |
http://www.openwall.com/lists/oss-security/2024/08/04/1 |
Configurations
History
21 Nov 2024, 09:26
Type | Values Removed | Values Added |
---|---|---|
References |
|
28 Aug 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
First Time |
Apache
Apache ofbiz |
|
References | () https://issues.apache.org/jira/browse/OFBIZ-13128 - Issue Tracking | |
References | () https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w - Mailing List, Vendor Advisory | |
References | () https://ofbiz.apache.org/download.html - Product | |
References | () https://ofbiz.apache.org/security.html - Vendor Advisory |
06 Aug 2024, 13:35
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.1 |
05 Aug 2024, 12:41
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
05 Aug 2024, 09:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-05 09:15
Updated : 2024-11-21 09:26
NVD link : CVE-2024-38856
Mitre link : CVE-2024-38856
CVE.ORG link : CVE-2024-38856
JSON object : View
Products Affected
apache
- ofbiz
CWE
CWE-863
Incorrect Authorization