Severity: important Affected versions:
- Apache OFBiz through 18.12.10 Description: Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue. Credit: Yun Peng - 郭 运鹏 <puata...@outlook.com> (finder) References: https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html https://ofbiz.apache.org/release-notes-18.12.11.html https://issues.apache.org/jira/browse/OFBIZ-12875 https://ofbiz.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-50968