Total
57 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-2137 | 1 Apache | 1 Ofbiz | 2026-04-29 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the "View Log" screen in the Webtools application in Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2010-0432 | 1 Apache | 1 Ofbiz | 2026-04-29 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 09.04 and earlier, as used in Opentaps, Neogia, and Entente Oya, allow remote attackers to inject arbitrary web script or HTML via (1) the productStoreId parameter to control/exportProductListing, (2) the partyId parameter to partymgr/control/viewprofile (aka partymgr/control/login), (3) the start parameter to myportal/control/showPortalPage, (4) an invalid URI beginning with /facility/control/ReceiveReturn (aka /crmsfa/control/ReceiveReturn or /cms/control/ReceiveReturn), (5) the contentId parameter (aka the entityName variable) to ecommerce/control/ViewBlogArticle, (6) the entityName parameter to webtools/control/FindGeneric, or the (7) subject or (8) content parameter to an unspecified component under ecommerce/control/contactus. | |||||
| CVE-2013-0177 | 1 Apache | 1 Ofbiz | 2026-04-29 | 3.5 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in widget/screen/ModelScreenWidget.java in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.05, 11.04.01, and possibly 09.04.x allow remote authenticated users to inject arbitrary web script or HTML via the (1) Screenlet.title or (2) Image.alt Widget attribute, as demonstrated by the parentPortalPageId parameter to exampleext/control/ManagePortalPages. | |||||
| CVE-2013-2250 | 1 Apache | 1 Ofbiz | 2026-04-29 | 10.0 HIGH | N/A |
| Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05, 11.04.01 through 11.04.02, and 12.04.01 allows remote attackers to execute arbitrary Unified Expression Language (UEL) functions via JUEL metacharacters in unspecified parameters, related to nested expressions. | |||||
| CVE-2012-3506 | 1 Apache | 1 Ofbiz | 2026-04-29 | 10.0 HIGH | N/A |
| Unspecified vulnerability in the Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.03 has unknown impact and attack vectors. | |||||
| CVE-2006-6589 | 1 Apache | 2 Ofbiz, Opentaps | 2026-04-23 | 6.8 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in ecommerce/control/keywordsearch in the Apache Open For Business Project (OFBiz) and Opentaps 0.9.3 allows remote attackers to inject arbitrary web script or HTML via the SEARCH_STRING parameter, a different issue than CVE-2006-6587. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2006-6588 | 1 Apache | 1 Ofbiz | 2026-04-23 | 7.5 HIGH | N/A |
| The forum implementation in the ecommerce component in the Apache Open For Business Project (OFBiz) trusts the (1) dataResourceTypeId, (2) contentTypeId, and certain other hidden form fields, which allows remote attackers to create unauthorized types of content, modify content, or have other unknown impact. | |||||
| CVE-2006-6587 | 1 Apache | 1 Ofbiz | 2026-04-23 | 6.8 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the forum implementation in the ecommerce component in the Apache Open For Business Project (OFBiz) allows remote attackers to inject arbitrary web script or HTML by posting a message. | |||||
| CVE-2025-59118 | 1 Apache | 1 Ofbiz | 2025-11-13 | N/A | 7.3 HIGH |
| Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recommended to upgrade to version 24.09.03, which fixes the issue. | |||||
| CVE-2025-61623 | 1 Apache | 1 Ofbiz | 2025-11-13 | N/A | 6.5 MEDIUM |
| Reflected cross-site scripting vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.03. Users are recommended to upgrade to version 24.09.03, which fixes the issue. | |||||
| CVE-2025-54466 | 1 Apache | 1 Ofbiz | 2025-11-04 | N/A | 9.8 CRITICAL |
| Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability. Users are recommended to upgrade to version 24.09.02, which fixes the issue. | |||||
| CVE-2024-45195 | 1 Apache | 1 Ofbiz | 2025-10-23 | N/A | 7.5 HIGH |
| Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. | |||||
| CVE-2024-38856 | 1 Apache | 1 Ofbiz | 2025-10-23 | N/A | 9.8 CRITICAL |
| Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints). | |||||
| CVE-2024-32113 | 1 Apache | 1 Ofbiz | 2025-10-23 | N/A | 9.8 CRITICAL |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue. | |||||
| CVE-2024-36104 | 1 Apache | 1 Ofbiz | 2025-07-01 | N/A | 9.1 CRITICAL |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue. | |||||
| CVE-2024-47208 | 1 Apache | 1 Ofbiz | 2025-06-24 | N/A | 9.8 CRITICAL |
| Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue. | |||||
| CVE-2025-26865 | 1 Apache | 1 Ofbiz | 2025-06-23 | N/A | 3.5 LOW |
| Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18. It's a regression between 18.12.17 and 18.12.18. In case you use something like that, which is not recommended! For security, only official releases should be used. In other words, if you use 18.12.17 you are still safe. The version 18.12.17 is not a affected. But something between 18.12.17 and 18.12.18 is. In that case, users are recommended to upgrade to version 18.12.18, which fixes the issue. | |||||
| CVE-2024-25065 | 1 Apache | 1 Ofbiz | 2025-05-05 | N/A | 9.1 CRITICAL |
| Possible path traversal in Apache OFBiz allowing authentication bypass. Users are recommended to upgrade to version 18.12.12, that fixes the issue. | |||||
| CVE-2025-30676 | 1 Apache | 1 Ofbiz | 2025-04-29 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.19. Users are recommended to upgrade to version 18.12.19, which fixes the issue. | |||||
| CVE-2016-4462 | 1 Apache | 1 Ofbiz | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01 | |||||