[CVE-2020-9496] Apache OFBiz XML-RPC requests vulnerable without authentication

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[CVE-2020-9496] Apache OFBiz XML-RPC requests vulnerable without authentication

Jacques Le Roux
Administrator
Severity:
Important

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz 17.12.03

Description:
Apache OFBiz XML-RPC request are  vulnerable to unsafe deserialization and Cross-Site Scripting issues.

Mitigation:
Upgrade to 17.12.04 or manually apply the commit at OFBIZ-11716
----

Credit:
Alvaro Munoz from  GitHub Security Lab team <[hidden email]>

References:
https://ofbiz.apache.org/security.html