Description

OFBiz allows an unauthenticated attacker to send arbitrary requests to perform lookups on the internal network, which is otherwise inaccessible externally. This feature can be exploited to perform SSRF (Server-Side Request Forgery) attacks, potentially leading to Remote Code Execution (RCE) on the server

Remediation

Upgrade to the latest version of OFBiz

References

Apache OFBiz 18.12.16 released

[CVE-2024-45507] Add validation to screen/script URI to block URL patterns

Related Vulnerabilities

Apache HTTP Server Other Vulnerability (CVE-2015-0253)

MediaWiki Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2015-6729)

TCExam Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-20115)

ownCloud Other Vulnerability (CVE-2014-2055)

WordPress Other Vulnerability (CVE-2007-4153)

Severity

Critical

Classification

CVE-2024-45507 CWE-918 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Acumonitor SSRF Known Vulnerabilities