Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-48962— Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE)

EPSS 0.69% · P72
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-48962

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE)
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache OFBiz 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache OFBiz是美国阿帕奇(Apache)基金会的一套企业资源计划(ERP)系统。该系统提供了一整套基于Java的Web应用程序组件和工具。 Apache OFBiz 18.12.17之前版本存在安全漏洞,该漏洞源于使用的特殊元素中和不当,导致代码注入和跨站请求伪造(CSRF)漏洞。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Apache Software FoundationApache OFBiz 0 ~ 18.12.17 -

II. Public POCs for CVE-2024-48962

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2024-48962

登录查看更多情报信息。

Same Patch Batch · Apache Software Foundation · 2024-11-18 · 8 CVEs total

CVE-2024-52318Apache Tomcat: Incorrect JSP tag recycling leads to XSS
CVE-2024-52317Apache Tomcat: Request/response mix-up with HTTP/2
CVE-2024-52316Apache Tomcat: Authentication bypass when using Jakarta Authentication API
CVE-2024-41151Apache HertzBeat: RCE by notice template injection vulnerability
CVE-2024-45791Apache HertzBeat: Exposure sensitive token via http GET method with query string
CVE-2024-45505Apache HertzBeat: Exists Native Deser RCE and file writing vulnerabilities
CVE-2024-47208Apache OFBiz: URLs allowing remote use of Groovy expressions, leading to RCE

IV. Related Vulnerabilities

Same product: Apache OFBiz
Same vendor: Apache Software Foundation
Same weakness: CWE-94

V. Comments for CVE-2024-48962

No comments yet

Leave a comment