Home Tools Exploits & CVE's Apache OFBiz 18.12.09 Remote Code Execution

Apache OFBiz 18.12.09 Remote Code Execution

January 4, 2024

204

Apache OFBiz version 18.12.09 suffers from a pre-authentication remote code execution vulnerability.

advisories | CVE-2023-49070

From: Jacques Le Roux <jleroux () apache org>
Date: Mon, 04 Dec 2023 21:04:50 +0000

Severity: moderate

Affected versions:

- Apache OFBiz before 18.12.10

Description:

Pre-auth RCE in Apache Ofbiz 18.12.09.

It's due to XML-RPC no longer maintained still present.
This issue affects Apache OFBiz: before 18.12.10. 
Users are recommended to upgrade to version 18.12.10

This issue is being tracked as OFBIZ-12812 

Credit:

Siebene@ (finder)

References:

https://ofbiz.apache.org/download.html
https://ofbiz.apache.org/security.html
https://ofbiz.apache.org/release-notes-18.12.10.html
https://ofbiz.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-49070
https://issues.apache.org/jira/browse/OFBIZ-12812


-----
Packet Storm Note
Below is the proof of concept circulating on twitter:

#POC: 
/webtools/control/xmlrpc;/?USERNAME=&PASSWORD=s&requirePasswordChange=Y

Apache OFBiz 18.12.09 Remote Code Execution

Follow us on Instagram @thecyberpost

EDITOR PICKS

How to Make Your Employees Your First Line of Cyber Defense

Ukrainian REvil Hacker Sentenced to 13 Years and Ordered to Pay...

Risky Biz News: New router malware intercepts traffic to steal credentials

POPULAR POSTS

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

Sniffle – A Sniffer For Bluetooth 5 And 4.X LE

Domhttpx – A Google Search Engine Dorker With HTTP Toolkit Built...

POPULAR CATEGORY

Slurp 1.10.2 Format String

MOV.AI Robotics Engine 2.2.3-3 Cross Site Scripting

Jenkins 2.441 / LTS 2.426.3 Arbitrary File Read