CVE-2024-38856

CVE Database · CVE-2024-38856

CVE-2024-38856

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

99.43%

Published

Aug 5, 2024

Modified

Oct 23, 2025

CISA Known Exploited Vulnerability

Added: 2024-08-27 · Due: 2024-09-17

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Public PoC / Exploit (10)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCsecurelayer7/CVE-2024-38856_Scanner★49 GitHub PoC0x20c/CVE-2024-38856-EXP★9 GitHub PoCBBD-YZZ/CVE-2024-38856-RCE★3 GitHub PoCHex00-0x4/CVE-2024-38856-Apache-OFBiz★3 GitHub PoCAp0dexMe0/CVE-2024-38856★2 GitHub PoCPraison001/CVE-2024-38856-ApacheOfBiz★1 GitHub PoCemanueldosreis/CVE-2024-38856★1 GitHub PoCAlissonFaoli/Apache-OFBiz-Exploit★1

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-863

Affected Products (1)

apache · ofbiz (up to 18.12.15)vulnerable

References (6)

https://issues.apache.org/jira/browse/OFBIZ-13128

Issue Tracking

https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w

Mailing ListVendor Advisory

https://ofbiz.apache.org/download.html