CVE-2024-45195

HIGH CISA KEV EPSS 100.0%
Published Sep 4, 20241y ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
High
Find Similar
Published Sep 4, 2024 1y ago
Last Modified Jun 17, 2026 1w ago
KEV Listed Feb 4, 2025 1y ago
KEV Due Feb 25, 2025 491d overdue

Description

Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

CISA Known Exploited Overdue 491d
Added
Feb 4, 2025
Due
Feb 25, 2025

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

EPSS Exploit Probability
100.0% percentile
Exploit & Patch Status
Actively Exploited (KEV)
No Patch Available

Weaknesses 1

CWE-425

Affected Products 1

VendorProductVersionRange
apacheofbiz* <18.12.16

References 6

  • openwall.com http://www.openwall.com/lists/oss-security/2024/09/03/6
    Mailing List
  • issues.apache.org https://issues.apache.org/jira/browse/OFBIZ-13130
    Issue TrackingVendor Advisory
  • lists.apache.org https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy
    Vendor Advisory
  • ofbiz.apache.org https://ofbiz.apache.org/download.html
    Product
  • ofbiz.apache.org https://ofbiz.apache.org/security.html
    Vendor Advisory
  • cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45195
    Third Party AdvisoryUS Government Resource

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.