9.8

CVE-2024-45195

Warnung

Apache OFBiz: Confused controller-view authorization logic (forced browsing)

Direct Request ('Forced Browsing') vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 18.12.16.

Users are recommended to upgrade to version 18.12.16, which fixes the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheOfbiz Version < 18.12.16

04.02.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache OFBiz Forced Browsing Vulnerability

Schwachstelle

Apache OFBiz contains a forced browsing vulnerability that allows a remote attacker to obtain unauthorized access.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 99.98% 1
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-425 Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

https://ofbiz.apache.org/security.html
Vendor Advisory
https://ofbiz.apache.org/download.html
Product
https://issues.apache.org/jira/browse/OFBIZ-13130
Vendor Advisory
Issue Tracking
https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy
Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/09/03/6
Mailing List
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45195
Third Party Advisory
US Government Resource