Apache OfBiz patches two flaws, one critical
Take action: If you are using Apache OfBiz, lock down access from the internet, and patch ASAP. All details of the issue are very public, so attacks will start, very soon.
Learn More
Apache Software Foundation has patched two significant security vulnerabilities in their OFBiz enterprise resource planning (ERP) software suite.
The disclosure comes with heightened urgency, particularly following CISA's August warning about active exploitation of Apache OFBiz vulnerabilities in the wild.
- CVE-2024-47208 (CVSS score 9.8) combines Server-Side Request Forgery (SSRF) and code injection vulnerabilities, allowing attackers to execute malicious code through the exploitation of Groovy expressions in manipulated URLs. .
- CVE-2024-48962 (CVSS score varying between 7.5 and 8.9 depending on the source), enables Cross-Site Request Forgery (CSRF) attacks by bypassing SameSite protections. It stems from insufficient control of generated code and improper input neutralization in OFBiz's template engine.
Both vulnerabilities affect all Apache OFBiz versions prior to 18.12.17. While there are currently no reported instances of these specific vulnerabilities being actively exploited, the previous CISA warning about Apache OFBiz exploitation suggests that the software is an attractive target for cybercriminals.
The Apache Software Foundation strongly recommends immediate updates to version 18.12.17, which includes patches for both vulnerabilities.
