CVE-2024-45195: Apache OFBiz: Confused controller-view authorization logic (forced browsing)

7.5 CVSS

Description

Direct Request ('Forced Browsing') vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: before 18.12.16.

Users are recommended to upgrade to version 18.12.16, which fixes the issue.

🚨 Marked as known exploited on February 4th, 2025 (2 months ago).

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vendor: Apache Software Foundation

Product: Apache OFBiz

EPSS Score: 75.58% (probability of being exploited)

EPSS Percentile: 98.45% (scored less or equal to compared to others)

EPSS Date: 2025-03-05 (when was this score calculated)

2025-02-04 15:49:15 UTC
CISA KEV

Apache OFBiz Forced Browsing Vulnerability
2025-02-04 15:50:41 UTC
🚨 Marked as Known Exploited
2025-02-05 00:49:13 UTC
CVE

Apache OFBiz: Confused controller-view authorization logic (forced browsing)
2025-02-05 06:00:28 UTC
TheHackerNews

CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog, Urges Fixes by Feb 25