Gao Tian

**Name of the Vulnerable Software and Affected Versions** Apache OFBiz versions prior to 18.12.11 **Description** The vulnerability allows attackers to bypass authentication processes, enabling them to remotely execute arbitrary code. This issue is related to insufficient validation of incoming requests. The estimated number of potentially affected devices worldwide is around 65,041, mainly distributed in the United States, Japan, and other countries. There have been real-world incidents where this issue was exploited, with researchers creating proof-of-concept (PoC) exploits. Technical details about exploitation include the use of API endpoints such as `/webtools/control/xmlrpc/` and vulnerable parameters like `USERNAME` and `PASSWORD`. The `checkLogin()` function is also vulnerable, allowing attackers to bypass authentication by setting `requirePasswordChange=Y` in the URI. **Recommendations** Update to Apache OFBiz version 18.12.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as `/webtools/control/xmlrpc/`, until a patch is applied. Additionally, avoid using the `requirePasswordChange` parameter in the URI until the issue is resolved.