====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN394
_____________________________________________________________________

DATE                : 16/07/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache OFBiz versions prior to
                                         17.12.04.

=====================================================================
https://lists.apache.org/thread.html/raf6020f765f12711e817ce13df63ecd7d677eebea8001e0473ee7c84@%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/r2e669797c1ea08562253239d2dc4192d951945e0c36cb0754f5394a6@%3Cannounce.apache.org%3E
_____________________________________________________________________

Severity:
Important

Vendor:
The Apache Software Foundation

Versions Affected:
OFBiz 17.12.03

Description:
Apache OFBiz XML-RPC request are  vulnerable to unsafe deserialization
and Cross-Site Scripting issues.

Mitigation:
Upgrade to 17.12.04 or manually apply the commit at OFBIZ-11716




Credit:
Alvaro Munoz from  GitHub Security Lab team <pwntester@github.com>

References:
https://ofbiz.apache.org/security.html

_____________________________________________________________________


Vendor: The Apache Software Foundation

Versions Affected:
All versions < 17.12.04

Description:
IDOR vulnerability in the order processing feature from ecommerce component.

Mitigation:
Upgrade to 17.12.04 or manually apply the commit at OFBIZ-11836


Credit:
Harshit Shukla <harshit.shukz@gmail.com>

References:
https://ofbiz.apache.org/security.html



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================