8.8
HIGH
CVE-2024-48962
Apache OFBiz Code Injection and CSRF Vulnerability
Description

Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue.

INFO

Published Date :

Nov. 18, 2024, 9:15 a.m.

Last Modified :

Feb. 11, 2025, 4:16 p.m.

Remotely Exploitable :

Yes !

Impact Score :

5.9

Exploitability Score :

2.8
Public PoC/Exploit Available at Github

CVE-2024-48962 has a 1 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2024-48962 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Apache ofbiz
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-48962.

URL Resource
https://issues.apache.org/jira/browse/OFBIZ-13162 Issue Tracking
https://lists.apache.org/thread/6sddh4pts90cp8ktshqb4xykdp6lb6q6 Mailing List
https://ofbiz.apache.org/download.html Product
https://ofbiz.apache.org/security.html Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/11/16/2 Mailing List

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

None

Updated: 3 days, 20 hours ago
0 stars 0 fork 0 watcher
Born at : Nov. 18, 2024, 11:55 a.m. This repo has been linked 2 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-48962 vulnerability anywhere in the article.

  • Cybersecurity News
CVE-2024-42448 (CVSS 9.9): Critical RCE Vulnerability in Veeam VSPC

Veeam Software, a prominent provider of backup and disaster recovery solutions, has released urgent security updates to address two critical vulnerabilities in its Service Provider Console (VSPC). One ... Read more

Published Date: Dec 04, 2024 (7 months, 1 week ago)
  • Cybersecurity News
New Report Reveals SmokeLoader’s Advanced Tactics in Taiwan Campaign

Attack flow | Image: FortiGuard LabsA recent report by FortiGuard Labs has highlighted a targeted cyberattack involving the infamous SmokeLoader malware. This campaign, observed in September 2024, aim ... Read more

Published Date: Dec 03, 2024 (7 months, 1 week ago)
  • Cybersecurity News
SMOKEDHAM Backdoor: UNC2465’s Stealth Weapon for Extortion and Ransomware Campaigns

A comprehensive analysis by TRAC Labs has shed light on the SMOKEDHAM backdoor, a malicious tool leveraged by the financially motivated threat actor UNC2465. Active since 2019, SMOKEDHAM plays a centr ... Read more

Published Date: Nov 28, 2024 (7 months, 2 weeks ago)
  • Cybersecurity News
Volt Typhoon: Chinese State-Sponsored APT Targets U.S. Critical Infrastructure

The Tenable Security Response Team has uncovered critical details about Volt Typhoon, a state-sponsored Advanced Persistent Threat (APT) group linked to the People’s Republic of China. The group has b ... Read more

Published Date: Nov 22, 2024 (7 months, 3 weeks ago)

The following table lists the changes that have been made to the CVE-2024-48962 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Feb. 11, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    Added CWE NIST CWE-352
    Added CWE NIST CWE-94
    Added CPE Configuration OR *cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:* versions up to (excluding) 18.12.17
    Changed Reference Type http://www.openwall.com/lists/oss-security/2024/11/16/2 No Types Assigned http://www.openwall.com/lists/oss-security/2024/11/16/2 Mailing List
    Changed Reference Type https://issues.apache.org/jira/browse/OFBIZ-13162 No Types Assigned https://issues.apache.org/jira/browse/OFBIZ-13162 Issue Tracking
    Changed Reference Type https://lists.apache.org/thread/6sddh4pts90cp8ktshqb4xykdp6lb6q6 No Types Assigned https://lists.apache.org/thread/6sddh4pts90cp8ktshqb4xykdp6lb6q6 Mailing List
    Changed Reference Type https://ofbiz.apache.org/download.html No Types Assigned https://ofbiz.apache.org/download.html Product
    Changed Reference Type https://ofbiz.apache.org/security.html No Types Assigned https://ofbiz.apache.org/security.html Vendor Advisory
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Nov. 21, 2024

    Action Type Old Value New Value
    Removed CVSS V3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference http://www.openwall.com/lists/oss-security/2024/11/16/2
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Nov. 19, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 CISA-ADP AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE Received by [email protected]

    Nov. 18, 2024

    Action Type Old Value New Value
    Added Description Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue.
    Added Reference Apache Software Foundation https://ofbiz.apache.org/download.html [No types assigned]
    Added Reference Apache Software Foundation https://ofbiz.apache.org/security.html [No types assigned]
    Added Reference Apache Software Foundation https://issues.apache.org/jira/browse/OFBIZ-13162 [No types assigned]
    Added Reference Apache Software Foundation https://lists.apache.org/thread/6sddh4pts90cp8ktshqb4xykdp6lb6q6 [No types assigned]
    Added CWE Apache Software Foundation CWE-94
    Added CWE Apache Software Foundation CWE-1336
    Added CWE Apache Software Foundation CWE-352
    Added CVSS V4.0 Apache Software Foundation CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Amber
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-48962 is associated with the following CWEs:

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
© cvefeed.io
Latest DB Update: Jul. 14, 2025 13:03