CVE-2018-8033

HIGH NUCLEI

Apache OFBiz 16.11.01-16.11.04 - Info Disclosure

Title source: llm

Description

In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitation occurs by having DOCTYPEs pointing to external references that trigger a payload that returns secret information from the host.

Exploits (1)

nomisec SCANNER 2 stars

by Cappricio-Securities · poc

https://github.com/Cappricio-Securities/CVE-2018-8033

View Code ZIP pw:eip

Nuclei Templates (1)

Apache OFBiz - XML External Entity Injection

HIGHVERIFIEDby daffainfo

Shodan: http.html:"ofbiz" || ofbiz.visitor=

FOFA: body="ofbiz" || app="apache_ofbiz"

References (1)

[Mailing List] https://lists.apache.org/thread.html/e8fb551e86e901932081f81ee9985bb72052b4d412f23d89b1282777%40%3Cuser.ofbiz.apache.org%3E

Scores

CVSS v3 7.5

EPSS 0.9219

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200

Status published

Products (1)

apache/ofbiz 16.11.01 - 16.11.04

Published Dec 13, 2018

Tracked Since Feb 18, 2026