James Parfet

Name of the Vulnerable Software and Affected Versions: Apache OFBiz versions 16.11.01 through 16.11.04 Description: The issue concerns the OFBiz HTTP engine, specifically the handling of requests for HTTP services via the "/webtools/control/httpService" endpoint. Both POST and GET requests to this endpoint may contain parameters such as `serviceName`, `serviceMode`, and `serviceContext`. The exploitation occurs through DOCTYPEs that point to external references, triggering a payload that returns secret information from the host. Recommendations: For Apache OFBiz versions 16.11.01 through 16.11.04, consider disabling the httpService endpoint until a patch is available. Restrict access to the "/webtools/control/httpService" endpoint to minimize the risk of exploitation. Avoid using the parameters `serviceName`, `serviceMode`, and `serviceContext` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.