Godspeed

**Name of the Vulnerable Software and Affected Versions** Apache OFBiz versions through 18.12.14 **Description** This issue affects Apache OFBiz, allowing unauthenticated endpoints to execute screen rendering code of screens if certain preconditions are met, such as when screen definitions do not explicitly check user permissions. The vulnerability is related to incorrect authorization and can lead to remote code execution. It is being actively exploited, and proof-of-concept exploits are available. Users are recommended to upgrade to version 18.12.15 to fix the issue. **Recommendations** Apache OFBiz versions through 18.12.14: Upgrade to version 18.12.15 to resolve the issue. As a temporary workaround, consider restricting access to unauthenticated endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache OFBiz versions prior to 18.12.14 **Description** The issue affects Apache OFBiz due to an improper limitation of a pathname to a restricted directory, also known as a 'Path Traversal' vulnerability. This vulnerability may allow a remote attacker to execute arbitrary code, potentially leading to full system compromise. Approximately 841 devices may be affected. **Recommendations** To resolve the issue, users are recommended to upgrade to version 18.12.14, which fixes the issue. As a temporary workaround, consider restricting access to vulnerable directories until a patch is applied.