MAL-003: Groovy Security Bypass and Stored XSS in Apache OfBiz

A Groovy RCE and XSS have been identified in Apache OfBiz <= 18.12.05.

Why no CVE?

Apache OfBiz does not create CVEs for "post-auth attacks done using demo credentials, notably using the admin user" as mentioned on their security page.

Requirements:

This vulnerability requires:

Valid user credentials

Proof Of Concept:

More details and the exploitation process can be found in this PDF.

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
Apache OfBiz - MAL-003.pdf		Apache OfBiz - MAL-003.pdf
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Apache OfBiz - MAL-003.pdf

Apache OfBiz - MAL-003.pdf

README.md

README.md

Repository files navigation

MAL-003: Groovy Security Bypass and Stored XSS in Apache OfBiz

Why no CVE?

Requirements:

Proof Of Concept:

About

mbadanoiu/MAL-003

Folders and files

Latest commit

History

Apache OfBiz - MAL-003.pdf

Apache OfBiz - MAL-003.pdf

README.md

README.md

Repository files navigation

MAL-003: Groovy Security Bypass and Stored XSS in Apache OfBiz

Why no CVE?

Requirements:

Proof Of Concept:

About

Topics

Resources

Stars

Watchers

Forks