Qiyi Zhang

**Name of the Vulnerable Software and Affected Versions** Apache OFBiz versions prior to 18.12.13 **Description** The issue is related to an improper limitation of a pathname to a restricted directory, also known as a path traversal vulnerability. This allows a remote attacker to execute arbitrary code by injecting a specially crafted URL. The vulnerability has been exploited in real-world attacks, with one of the attackers being the Mirai botnet. The exploitation is relatively simple, involving the addition of a semicolon (;) after a public URL, followed by a private URL that the attacker wishes to access. This can bypass authentication and allow code execution on the server. **Recommendations** To resolve the issue, users are recommended to upgrade to version 18.12.13, which fixes the issue. As a temporary workaround, consider restricting access to vulnerable API endpoints, such as `/webtools/control/forgotPassword`, to minimize the risk of exploitation. Additionally, avoid using specially crafted URLs that could be used to exploit the path traversal vulnerability.