What is the vulnerability? There is an authentication bypass vulnerability in Apache OFBiz tracked under CVE-2023-51467 and CVE-2023-49070. Successful exploitation would let an attacker circumvent authentication processes, enabling them to remotely execute arbitrary code and access sensitive information. Apache OFBiz is an open-source business application suite for Enterprise Resource Planning software which integrates and automates many of the business processes across industries.
What is the Vendor Solution?
Customers are advised to upgrade to Apache OFBiz version 18.12.11 to patch these vulnerabilities. For more information, please refer to the Apache Security Advisory. [ Link ]
What FortiGuard Coverage is available?
FortiGuard Labs has an IPS signature “Apache.OFBiz.CVE-2023-49070.XMLRPC.Insecure.Deserialization” in place for CVE-2023-49070 and is investigating to create protection against exploitation of CVE-2023-51467.
FortiGuard Labs recommends companies to scan their environment, find vulnerable Apache OFBiz application, and upgrade as per vendor advisory and always follow best practices.
More Stories
ZDI-CAN-25373: Microsoft
A CVSS score 7.0 AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Peter Girnus - Trend Micro Zero Day Initiative' was reported to...
DSA-5774-1 ruby-saml – security update
It was discovered that ruby-saml, a SAML library implementing the client side of a SAML authorization, does not properly verify...
USN-6968-2: PostgreSQL vulnerability
USN-6968-1 fixed CVE-2024-7348 in PostgreSQL-12, PostgreSQL-14, and PostgreSQL-16 This update provides the corresponding updates for PostgreSQL-9.5 in Ubuntu 16.04 LTS....
USN-7015-2: Python vulnerabilities
USN-7015-1 fixed several vulnerabilities in Python. This update provides one of the corresponding updates for python2.7 for Ubuntu 16.04 LTS,...
USN-7027-1: Emacs vulnerabilities
It was discovered that Emacs incorrectly handled input sanitization. An attacker could possibly use this issue to execute arbitrary commands....
USN-7024-1: tgt vulnerability
It was discovered that tgt attempts to achieve entropy by calling rand without srand. The PRNG seed is always 1,...