Reported back in September, but made the news today:
https://www.bleepingcomputer.com/news/security/cisa-tags-microsoft-net-and-apache-ofbiz-bugs-as-exploited-in-attacks/
The Apache OFBiz flaw isCVE-2024-45195
<https://nvd.nist.gov/vuln/detail/CVE-2024-45195>, a critical severity
(CVSS v3 score: 9.8) remote code execution vulnerability impacting
OFBiz before 18.12.16.
The flaw is caused by a forced browsing weakness that exposes
restricted paths to unauthenticated direct request attacks.
The flaw was originally discovered by Rapid7, who also presented a
proof-of-concept (PoC) exploit, while the vendorfixed it in September
2024
<https://www.bleepingcomputer.com/news/security/apache-fixes-critical-ofbiz-remote-code-execution-vulnerability/>.
Users are recommended to upgrade to Apache OFBiz version 18.12.16 or
later, which addresses the particular risk.
Now, CISA urges potentially impacted agencies and organizations to
apply the available patches and mitigations by February 25, 2025, or
stop using the products.
