vulnerability
Apache OFBiz: CVE-2024-38856: Incorrect authorization vulnerability.
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | Aug 5, 2024 | Dec 23, 2024 | Nov 28, 2025 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
Aug 5, 2024
Added
Dec 23, 2024
Modified
Nov 28, 2025
Description
Incorrect authorization vulnerability in apache ofbiz. this issue affects apache ofbiz: through 18.12.14. users are recommended to upgrade to version 18.12.15, which fixes the issue. unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
Solution
apache-ofbiz-upgrade-latest
References
- CWE-863
- CVE-2024-38856
- https://attackerkb.com/topics/CVE-2024-38856
- https://issues.apache.org/jira/browse/OFBIZ-13128
- https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w
- https://ofbiz.apache.org/download.html
- https://ofbiz.apache.org/security.html
- https://github.com/apache/ofbiz-framework/commit/31d8d7
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.