Description
Webtools XMLRPC endpoint of Apache OFBiz uses unsafe java deserialization and it's vulnerable to deserialization attacks. An attacker could exploit this vulnerability using specially-crafted serialized data to execute arbitrary code on the system or to perform a denial of service attack.
Remediation
Upgrade to the latest version of Apache OFBiz
References
Remove deprecated Apache XML-RPC related code (CVE-2023-49070)
Unsafe deserialization of XMLRPC arguments in ApacheOfBiz - CVE-2020-9496
Related Vulnerabilities
WordPress Plugin Advanced Access Manager Arbitrary Code Execution (2.8.2)
WordPress Super Socialat backdoor plugin
Paperclip gem SSRF (Server side request forgery)
WordPress 5.9.x Shortcode Execution (5.9 - 5.9.6)
WordPress Plugin Groundhogg-Marketing Automation & CRM for WordPress Remote Code Execution (1.3.4)