Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
The flaw lies in the password change logic handling in Apache OFBiz — improper implementation of the authentication process allows bypassing user identity verification. An attacker remotely, without possessing an account or any permissions, can exploit this vulnerability to gain unauthorized access to the application. Consequently, remote code execution (RCE) on the server running the application is possible.
An attacker can gain full control over the system — from unauthorized access to data, through modification and deletion, to execution of arbitrary code on the server (RCE), which threatens the confidentiality, integrity, and availability of the system.
Apache OFBiz must be immediately updated to version 24.09.06 or newer, which contains a fix eliminating the described vulnerability.
Apache OFBiz in all versions prior to 24.09.06
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Ofbiz
APPApache< 24.09.06
Related vulnerabilities
Apache OFBiz — nieautoryzowane wykonanie kodu przez błędną autoryzację
Path Traversal w Apache OFBiz umożliwiający zdalne wykonanie kodu
LDAP Injection w Apache OFBiz umożliwiający nieautoryzowany dostęp
Apache OFBiz — użycie zakodowanego na stałe klucza kryptograficznego
Apache OFBiz: Code Injection w pluginie scrum umożliwia RCE