PT-2024-5362 · Apache · Apache Ofbiz

4Ra1N

+16

Published

2024-08-04

Updated

2025-08-23

CVE-2024-38856

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Apache OFBiz versions through 18.12.14

Description This issue affects Apache OFBiz, allowing unauthenticated endpoints to execute screen rendering code of screens if certain preconditions are met, such as when screen definitions do not explicitly check user permissions. The vulnerability is related to incorrect authorization and can lead to remote code execution. It is being actively exploited, and proof-of-concept exploits are available. Users are recommended to upgrade to version 18.12.15 to fix the issue.

Recommendations Apache OFBiz versions through 18.12.14: Upgrade to version 18.12.15 to resolve the issue. As a temporary workaround, consider restricting access to unauthenticated endpoints to minimize the risk of exploitation.

Exploit

Fix

RCE

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

BDU:2024-05995

CVE-2024-38856

ZDI-24-1099

Affected Products

Apache Ofbiz

PT-2024-5362 · Apache · Apache Ofbiz

CVE-2024-38856

Weakness Enumeration

Related Identifiers

Affected Products

References · 118