Apache OFBiz up to 17.12.3 eCommerce input validation

Summaryinfo

A vulnerability labeled as critical has been found in Apache OFBiz up to 17.12.3. Affected by this vulnerability is an unknown functionality of the component eCommerce. The manipulation results in input validation. This vulnerability is reported as CVE-2020-13923. The attack can be launched remotely. No exploit exists. The affected component should be upgraded.

Detailsinfo

A vulnerability was found in Apache OFBiz up to 17.12.3. It has been classified as critical. Affected is an unknown part of the component eCommerce. The manipulation with an unknown input leads to a input validation vulnerability. CWE is classifying the issue as CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. This is going to have an impact on integrity. CVE summarizes:

IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04

The weakness was disclosed 07/15/2020 (Website). The advisory is shared for download at s.apache.org. This vulnerability is traded as CVE-2020-13923 since 06/08/2020. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are neither technical details nor an exploit publicly available.

Upgrading to version 17.12.04 eliminates this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Vendor

• Apache

Name

• OFBiz

Version

• 17.12.0
• 17.12.1
• 17.12.2
• 17.12.3

License

• open-source

Website

• Vendor: https://www.apache.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion