Back to KEVs

CVE-2024-38856

Apache OFBiz: Unauthenticated endpoint could allow execution of screen rendering code

Basic Information

CVE State
PUBLISHED
Reserved Date
June 20, 2024
Published Date
August 05, 2024
Last Updated
August 31, 2024
Vendor
Apache Software Foundation
Product
Apache OFBiz
Description
Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
Tags
apache cisa nuclei_scanner metasploit_scanner

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2024-08-27 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2024-08-10 03:05:34 UTC) Source

References

https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w https://issues.apache.org/jira/browse/OFBIZ-13128

Known Exploited Vulnerability Information

Source Added Date
CISA 2024-08-27 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_ofbiz_forgot_password_directory_traversal.rb 2025-04-29 11:01:20 UTC
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-38856.yaml 2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

apache_ofbiz_forgot_password_directory_traversal

Type: metasploit • Created: Unknown

Metasploit module for CVE-2024-38856

BBD-YZZ/CVE-2024-38856-RCE

Type: github • Created: 2024-08-28 03:17:22 UTC • Stars: 3

Apache OFBiz CVE-2024-38856

0x20c/CVE-2024-38856-EXP

Type: github • Created: 2024-08-22 04:05:02 UTC • Stars: 9

CVE-2024-38856 Exploit

ThatNotEasy/CVE-2024-38856

Type: github • Created: 2024-08-10 03:05:34 UTC • Stars: 2

Perform With Massive Apache OFBiz Zero-Day Scanner & RCE

securelayer7/CVE-2024-38856_Scanner

Type: github • Created: 2024-08-08 02:40:56 UTC • Stars: 43

Apache OFBiz RCE Scanner & Exploit (CVE-2024-38856)

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Proof of Concept Exploit Available

  • Added to KEVIntel

  • Detected by Nuclei

  • Detected by Metasploit