Vulnerabilites related to Apache - Apache OFBiz
CVE-2019-0235 (GCVE-0-2019-0235)
Vulnerability from cvelistv5
Published
2020-04-30 19:22
Modified
2024-08-04 17:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CSRF Vulnerability
Summary
Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache | Apache OFBiz |
Version: 17.12.01 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:15.925Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://s.apache.org/n4vnt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/157514/Apache-OFBiz-17.12.03-Cross-Site-Request-Forgery.html"
},
{
"name": "[ofbiz-notifications] 20200705 [jira] [Commented] (OFBIZ-11306) POC for CSRF Token (CVE-2019-0235)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbd572bb27991835a3455c1bf694e7140d79ab03cdb9e6e50fd1219d7%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20200706 [jira] [Commented] (OFBIZ-11306) POC for CSRF Token (CVE-2019-0235)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r392206f7cd131f0fc3f7c60a767ced93ced00411d55c1777c219c956%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20200707 [jira] [Commented] (OFBIZ-11306) POC for CSRF Token (CVE-2019-0235)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfe36dc9135810954ef667d29129d02207fb999a286b60d33bd9c2349%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20200708 [jira] [Commented] (OFBIZ-11306) POC for CSRF Token (CVE-2019-0235)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9eeb6c41d2c562b451f1e48ec56881f59107cc4dea7c883db2c5373d%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20200708 [ofbiz-framework] 01/02: Documented: POC for CSRF Token (CVE-2019-0235) (OFBIZ-11306)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb53870d24088956a555683aa1aea7e532e3be65b863b9c75eac31b90%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[announce] 20210125 Apache Software Foundation Security Report: 2020",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E"
},
{
"name": "[announce] 20210223 Re: Apache Software Foundation Security Report: 2020",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OFBiz",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "17.12.01"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF Vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-24T03:06:33",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://s.apache.org/n4vnt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/157514/Apache-OFBiz-17.12.03-Cross-Site-Request-Forgery.html"
},
{
"name": "[ofbiz-notifications] 20200705 [jira] [Commented] (OFBIZ-11306) POC for CSRF Token (CVE-2019-0235)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbd572bb27991835a3455c1bf694e7140d79ab03cdb9e6e50fd1219d7%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20200706 [jira] [Commented] (OFBIZ-11306) POC for CSRF Token (CVE-2019-0235)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r392206f7cd131f0fc3f7c60a767ced93ced00411d55c1777c219c956%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20200707 [jira] [Commented] (OFBIZ-11306) POC for CSRF Token (CVE-2019-0235)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfe36dc9135810954ef667d29129d02207fb999a286b60d33bd9c2349%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20200708 [jira] [Commented] (OFBIZ-11306) POC for CSRF Token (CVE-2019-0235)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9eeb6c41d2c562b451f1e48ec56881f59107cc4dea7c883db2c5373d%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20200708 [ofbiz-framework] 01/02: Documented: POC for CSRF Token (CVE-2019-0235) (OFBIZ-11306)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb53870d24088956a555683aa1aea7e532e3be65b863b9c75eac31b90%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[announce] 20210125 Apache Software Foundation Security Report: 2020",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E"
},
{
"name": "[announce] 20210223 Re: Apache Software Foundation Security Report: 2020",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-0235",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OFBiz",
"version": {
"version_data": [
{
"version_value": "17.12.01"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF Vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://s.apache.org/n4vnt",
"refsource": "CONFIRM",
"url": "https://s.apache.org/n4vnt"
},
{
"name": "http://packetstormsecurity.com/files/157514/Apache-OFBiz-17.12.03-Cross-Site-Request-Forgery.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/157514/Apache-OFBiz-17.12.03-Cross-Site-Request-Forgery.html"
},
{
"name": "[ofbiz-notifications] 20200705 [jira] [Commented] (OFBIZ-11306) POC for CSRF Token (CVE-2019-0235)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbd572bb27991835a3455c1bf694e7140d79ab03cdb9e6e50fd1219d7@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20200706 [jira] [Commented] (OFBIZ-11306) POC for CSRF Token (CVE-2019-0235)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r392206f7cd131f0fc3f7c60a767ced93ced00411d55c1777c219c956@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20200707 [jira] [Commented] (OFBIZ-11306) POC for CSRF Token (CVE-2019-0235)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfe36dc9135810954ef667d29129d02207fb999a286b60d33bd9c2349@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20200708 [jira] [Commented] (OFBIZ-11306) POC for CSRF Token (CVE-2019-0235)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9eeb6c41d2c562b451f1e48ec56881f59107cc4dea7c883db2c5373d@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20200708 [ofbiz-framework] 01/02: Documented: POC for CSRF Token (CVE-2019-0235) (OFBIZ-11306)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb53870d24088956a555683aa1aea7e532e3be65b863b9c75eac31b90@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[announce] 20210125 Apache Software Foundation Security Report: 2020",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E"
},
{
"name": "[announce] 20210223 Re: Apache Software Foundation Security Report: 2020",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-0235",
"datePublished": "2020-04-30T19:22:20",
"dateReserved": "2018-11-14T00:00:00",
"dateUpdated": "2024-08-04T17:44:15.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-1943 (GCVE-0-2020-1943)
Vulnerability from cvelistv5
Published
2020-04-01 18:18
Modified
2024-08-04 06:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- XSS Vulnerability
Summary
Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache | Apache OFBiz |
Version: 16.11.01 to 16.11.07 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:53:59.927Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://s.apache.org/pr5u8"
},
{
"name": "[ofbiz-commits] 20200430 svn commit: r1877207 - in /ofbiz/site: security.html template/page/security.tpl.php",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r034123f2767830169fd04c922afb22d2389de6e2faf3a083207202bc%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-dev] 20200705 Error.ftl everywhere",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8efd5b62604d849ae2f93b2eb9ce0ce0356a4cf5812deed14030a757%40%3Cdev.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-dev] 20200715 Re: Error.ftl everywhere",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra6c011af63d8a8cd8c0b8f72b2b0c392af4d5ed040ba59be344d13fa%40%3Cdev.ofbiz.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OFBiz",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "16.11.01 to 16.11.07"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS Vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-15T20:06:18",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://s.apache.org/pr5u8"
},
{
"name": "[ofbiz-commits] 20200430 svn commit: r1877207 - in /ofbiz/site: security.html template/page/security.tpl.php",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r034123f2767830169fd04c922afb22d2389de6e2faf3a083207202bc%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-dev] 20200705 Error.ftl everywhere",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8efd5b62604d849ae2f93b2eb9ce0ce0356a4cf5812deed14030a757%40%3Cdev.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-dev] 20200715 Re: Error.ftl everywhere",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra6c011af63d8a8cd8c0b8f72b2b0c392af4d5ed040ba59be344d13fa%40%3Cdev.ofbiz.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-1943",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OFBiz",
"version": {
"version_data": [
{
"version_value": "16.11.01 to 16.11.07"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS Vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://s.apache.org/pr5u8",
"refsource": "MISC",
"url": "https://s.apache.org/pr5u8"
},
{
"name": "[ofbiz-commits] 20200430 svn commit: r1877207 - in /ofbiz/site: security.html template/page/security.tpl.php",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r034123f2767830169fd04c922afb22d2389de6e2faf3a083207202bc@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-dev] 20200705 Error.ftl everywhere",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8efd5b62604d849ae2f93b2eb9ce0ce0356a4cf5812deed14030a757@%3Cdev.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-dev] 20200715 Re: Error.ftl everywhere",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra6c011af63d8a8cd8c0b8f72b2b0c392af4d5ed040ba59be344d13fa@%3Cdev.ofbiz.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-1943",
"datePublished": "2020-04-01T18:18:48",
"dateReserved": "2019-12-02T00:00:00",
"dateUpdated": "2024-08-04T06:53:59.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12425 (GCVE-0-2019-12425)
Vulnerability from cvelistv5
Published
2020-04-30 19:20
Modified
2024-08-04 23:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CSRF Vulnerability
Summary
Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache | Apache OFBiz |
Version: 17.12.01 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:17:40.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://s.apache.org/7sr1x"
},
{
"name": "[ofbiz-user] 20200503 Re: [CVE-2019-12425] Apache OFBiz Host Header Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5181b36218225447d3ce70891eeccfb6d6885309dffd7e0e59091817%40%3Cuser.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-user] 20200504 Re: [CVE-2019-12425] Apache OFBiz Host Header Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r907ce90745b52d2d5b6a815de03fd1d5f3831ab579a81d70cfda6f3d%40%3Cuser.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-site] branch master updated: Updates security page for CVE-2021-26295 fixed in 17.12.06",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0a0a701610b3bcdf14634047313adab3f1628bb9aa55cf29cd262ef5%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210427 [ofbiz-site] branch master updated: Updates security page for CVE-2021-29200 and 30128 fixed in 17.12.07",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OFBiz",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "17.12.01"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF Vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-27T21:06:20",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://s.apache.org/7sr1x"
},
{
"name": "[ofbiz-user] 20200503 Re: [CVE-2019-12425] Apache OFBiz Host Header Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5181b36218225447d3ce70891eeccfb6d6885309dffd7e0e59091817%40%3Cuser.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-user] 20200504 Re: [CVE-2019-12425] Apache OFBiz Host Header Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r907ce90745b52d2d5b6a815de03fd1d5f3831ab579a81d70cfda6f3d%40%3Cuser.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-site] branch master updated: Updates security page for CVE-2021-26295 fixed in 17.12.06",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0a0a701610b3bcdf14634047313adab3f1628bb9aa55cf29cd262ef5%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210427 [ofbiz-site] branch master updated: Updates security page for CVE-2021-29200 and 30128 fixed in 17.12.07",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-12425",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OFBiz",
"version": {
"version_data": [
{
"version_value": "17.12.01"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF Vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://s.apache.org/7sr1x",
"refsource": "CONFIRM",
"url": "https://s.apache.org/7sr1x"
},
{
"name": "[ofbiz-user] 20200503 Re: [CVE-2019-12425] Apache OFBiz Host Header Injection",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5181b36218225447d3ce70891eeccfb6d6885309dffd7e0e59091817@%3Cuser.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-user] 20200504 Re: [CVE-2019-12425] Apache OFBiz Host Header Injection",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r907ce90745b52d2d5b6a815de03fd1d5f3831ab579a81d70cfda6f3d@%3Cuser.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-site] branch master updated: Updates security page for CVE-2021-26295 fixed in 17.12.06",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0a0a701610b3bcdf14634047313adab3f1628bb9aa55cf29cd262ef5@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210427 [ofbiz-site] branch master updated: Updates security page for CVE-2021-29200 and 30128 fixed in 17.12.07",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d@%3Ccommits.ofbiz.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-12425",
"datePublished": "2020-04-30T19:20:11",
"dateReserved": "2019-05-28T00:00:00",
"dateUpdated": "2024-08-04T23:17:40.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12426 (GCVE-0-2019-12426)
Vulnerability from cvelistv5
Published
2020-02-06 16:47
Modified
2024-08-04 23:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
Summary
an unauthenticated user could get access to information of some backend screens by invoking setSessionLocale in Apache OFBiz 16.11.01 to 16.11.06
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache | Apache OFBiz |
Version: Apache OFBiz 16.11.01 to 16.11.06 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:17:40.123Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://s.apache.org/w0dem"
},
{
"name": "[announce] 20200206 [SECURITY] CVE-2019-12426 information disclosure vulnerability in Apache OFBiz",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r40a3c0930f7945e97e30c25422f52dbe476d5584346c3de5c556c272%40%3Cannounce.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20200306 svn commit: r1874880 [5/5] - in /ofbiz/site: download.html release-notes-17.12.01.html security.html template/page/download.tpl.php template/page/release-notes-17.12.01.tpl.php template/page/security.tpl.php",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20200430 svn commit: r1877207 - in /ofbiz/site: security.html template/page/security.tpl.php",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r034123f2767830169fd04c922afb22d2389de6e2faf3a083207202bc%40%3Ccommits.ofbiz.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OFBiz",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "Apache OFBiz 16.11.01 to 16.11.06"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "an unauthenticated user could get access to information of some backend screens by invoking setSessionLocale in Apache OFBiz 16.11.01 to 16.11.06"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-30T14:06:10",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://s.apache.org/w0dem"
},
{
"name": "[announce] 20200206 [SECURITY] CVE-2019-12426 information disclosure vulnerability in Apache OFBiz",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r40a3c0930f7945e97e30c25422f52dbe476d5584346c3de5c556c272%40%3Cannounce.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20200306 svn commit: r1874880 [5/5] - in /ofbiz/site: download.html release-notes-17.12.01.html security.html template/page/download.tpl.php template/page/release-notes-17.12.01.tpl.php template/page/security.tpl.php",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20200430 svn commit: r1877207 - in /ofbiz/site: security.html template/page/security.tpl.php",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r034123f2767830169fd04c922afb22d2389de6e2faf3a083207202bc%40%3Ccommits.ofbiz.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-12426",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OFBiz",
"version": {
"version_data": [
{
"version_value": "Apache OFBiz 16.11.01 to 16.11.06"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "an unauthenticated user could get access to information of some backend screens by invoking setSessionLocale in Apache OFBiz 16.11.01 to 16.11.06"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://s.apache.org/w0dem",
"refsource": "CONFIRM",
"url": "https://s.apache.org/w0dem"
},
{
"name": "[announce] 20200206 [SECURITY] CVE-2019-12426 information disclosure vulnerability in Apache OFBiz",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r40a3c0930f7945e97e30c25422f52dbe476d5584346c3de5c556c272@%3Cannounce.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20200306 svn commit: r1874880 [5/5] - in /ofbiz/site: download.html release-notes-17.12.01.html security.html template/page/download.tpl.php template/page/release-notes-17.12.01.tpl.php template/page/security.tpl.php",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf8651e75162819a267384f8a31c20884bc3a9a6707afbf75200cd98d@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20200430 svn commit: r1877207 - in /ofbiz/site: security.html template/page/security.tpl.php",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r034123f2767830169fd04c922afb22d2389de6e2faf3a083207202bc@%3Ccommits.ofbiz.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-12426",
"datePublished": "2020-02-06T16:47:14",
"dateReserved": "2019-05-28T00:00:00",
"dateUpdated": "2024-08-04T23:17:40.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}