Vulnerability in Apache Ofbiz
CVE-2020-9496
XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03
EPSS: 0.938 (99.9th percentile) — read the EPSS interpretation.
Affected products
- N/a Apache Ofbiz — versions Apache OFBiz 17.12.03
Public proof-of-concept exploits
References
- s.apache.org/l0994 (x_refsource_MISC)
- [announce] 20200715 [CVE-2020-9496] Apache OFBiz XML-RPC requests vulnerable without authentication (mailing-list, x_refsource_MLIST)
- [ofbiz-notifications] 20200716 [jira] [Updated] (OFBIZ-11716) Apache OFBiz unsafe deserialization of XMLRPC arguments (CVE-2020-9496) (mailing-list, x_refsource_MLIST)
- packetstormsecurity.com/files/158887/Apache-OFBiz-XML-RPC-Java-Deserialization… (x_refsource_MISC)
- [ofbiz-user] 20201116 [CVE-2020-9496] Apache OFBiz unsafe deserialization of XMLRPC arguments (mailing-list, x_refsource_MLIST)
- [ofbiz-user] 20201117 Re: [CVE-2020-9496] Apache OFBiz unsafe deserialization of XMLRPC arguments (mailing-list, x_refsource_MLIST)
- packetstormsecurity.com/files/161769/Apache-OFBiz-XML-RPC-Java-Deserialization… (x_refsource_MISC)
- [ofbiz-commits] 20210321 [ofbiz-site] branch master updated: Updates security page for CVE-2021-26295 fixed in 17.12.06 (mailing-list, x_refsource_MLIST)
- [ofbiz-commits] 20210427 [ofbiz-site] branch master updated: Updates security page for CVE-2021-29200 and 30128 fixed in 17.12.07 (mailing-list, x_refsource_MLIST)
- packetstormsecurity.com/files/163730/Apache-OfBiz-17.12.01-Remote-Command-Execu… (x_refsource_MISC)
Frequently asked questions
- What is CVE-2020-9496?
- CVE-2020-9496 is a vulnerability in Apache Ofbiz. Published 2020-07-15.
- Is CVE-2020-9496 known to be exploited?
- 59 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.