New critical Apache OFBiz vulnerability patched as older flaw is actively exploited

It’s unclear how many enterprises employ Apache OFBiz as many organizations might use it internally, but based on public data known users include large organizations such as IBM, HP, Accenture, United Airlines, Home Depot, and Upwork. Some third-party commercial applications, such as Atlassian JIRA, also use OFBiz modules. The project is used globally and across many industries, but over 40% of known users are based in the US.

The Open Web Application Security Project (OWASP) recently updated its list of top 10 open source security risks for enterprises, with known vulnerabilities topping the list.

New flaw found by analyzing previous one

The new flaw is located in the override view functionality and allows unauthenticated attackers to access sensitive and restricted endpoints using specially crafted requests. This can pave the way for remote code execution.