CVE-2018-8033

HIGH NUCLEI

Apache OFBiz 16.11.01-16.11.04 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-8033. PoCs published by Cappricio-Securities. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Python-based scanner for detecting CVE-2018-8033, an XXE vulnerability in Apache OFBiz. The tool sends crafted XML payloads to target endpoints and checks for vulnerability indicators.

Description

In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitation occurs by having DOCTYPEs pointing to external references that trigger a payload that returns secret information from the host.

Exploits (1)

nomisec SCANNER 2 stars
by Cappricio-Securities · poc
https://github.com/Cappricio-Securities/CVE-2018-8033

This repository contains a Python-based scanner for detecting CVE-2018-8033, an XXE vulnerability in Apache OFBiz. The tool sends crafted XML payloads to target endpoints and checks for vulnerability indicators.

Classification
Scanner 90%
Attack Type
Xxe
Complexity
Moderate
Reliability
Reliable
Target: Apache OFBiz
No auth needed
Prerequisites: Network access to the target Apache OFBiz instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache OFBiz - XML External Entity Injection
HIGHVERIFIEDby daffainfo
Shodan: http.html:"ofbiz" || ofbiz.visitor=
FOFA: body="ofbiz" || app="apache_ofbiz"

References (1)

Core 1

Scores

CVSS v3 7.5
EPSS 0.2574
EPSS Percentile 97.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (1)
apache/ofbiz 16.11.01 - 16.11.04
Published Dec 13, 2018
Tracked Since Feb 18, 2026