New Zero-Day Flaw in Apache OFBiz ERP Allows Remote Code Execution | Cybersecurity

Aug 06, 2024. Ravie Lakshmanan Enterprise Security / Vulnerability.

A new zero-day pre-authentication remote code execution vulnerability has been disclosed in the Apache OFBiz open-source enterprise resource planning (ERP) system that could allow threat actors to achieve remote code execution on affected instances.

Tracked as CVE-2024-38856, the flaw has a CVSS score of 9.8 out of a maximum of 10.0. It affects Apache OFBiz versions prior to 18.12.15.

“The root cause of the vulnerability lies in a flaw in the authentication mechanism,” SonicWall, which discovered and reported the shortcoming, said in a statement.

“This flaw allows an unauthenticated user to access functionalities that generally require the user to be logged in, paving the way for remote code execution.”

CVE-2024-38856 is also a patch bypass for CVE-2024-36104, a path traversal vulnerability that was addressed in…

Source thehackernews.com

Visit Things From Another World for a massive selection of Star Wars, Hellboy, Manga, Superheroes and other pop culture favorites.
FTC: We use income earning affiliate links. More on Sposored links.
Terms of use and third-party services. More here.
Ad Amazon Minecraft the game, plus clothing, toys, and accessories.
Ad Amazon Gaming Laptops, clothing, games and more
Ad Amazon MUSIC Artists Merch Shop

Prime members enjoy Prime FREE One-Day delivery

Related Posts