CVE-2023-50968
HIGH EXPLOITED NUCLEIApache OFBiz < 18.12.11 - Unauthenticated Arbitrary File Read and Server-Side Request Forgery
Title source: llmExploitation Summary
CVE-2023-50968 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.
Nuclei Templates (1)
Apache OFBiz < 18.12.11 - Server Side Request Forgery
HIGHVERIFIEDby your3cho
Shodan:
html:"OFBiz" || http.html:"ofbiz" || ofbiz.visitor=
FOFA:
app="Apache_OFBiz" || body="ofbiz" || app="apache_ofbiz"
References (6)
Core 6
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/12/26/2
Product mitigation
https://ofbiz.apache.org/download.html
Vendor Advisory related
https://ofbiz.apache.org/security.html
Release Notes release-notes
https://ofbiz.apache.org/release-notes-18.12.11.html
Issue Tracking, Patch, Vendor Advisory issue-tracking
https://issues.apache.org/jira/browse/OFBIZ-12875
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/x5now4bk3llwf3k58kl96qvtjyxwp43q
Scores
CVSS v3
7.5
EPSS
0.6337
EPSS Percentile
99.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
VulnCheck KEV
2024-01-21
CWE
CWE-200
CWE-918
Status
published
Products (1)
apache/ofbiz
< 18.12.11
Published
Dec 26, 2023
Tracked Since
Feb 18, 2026