Apache OFBiz 18.12.09 Remote Code Execution

2023.12.31
Risk: High
Local: No
Remote: Yes
CWE: N/A

From: Jacques Le Roux <jleroux () apache org> Date: Mon, 04 Dec 2023 21:04:50 +0000 Severity: moderate Affected versions: - Apache OFBiz before 18.12.10 Description: Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10 This issue is being tracked as OFBIZ-12812 Credit: Siebene@ (finder) References: https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html https://ofbiz.apache.org/release-notes-18.12.10.html https://ofbiz.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-49070 https://issues.apache.org/jira/browse/OFBIZ-12812 ----- Packet Storm Note Below is the proof of concept circulating on twitter: #POC: /webtools/control/xmlrpc;/?USERNAME=&PASSWORD=s&requirePasswordChange=Y


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top