CVE-2024-48962 HIGH

CVE-2024-48962: Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE)

Vendor Apache Software Foundation

Product Apache OFBiz

Weakness CWE-94 · Code injection

Published November 18, 2024

Last update May 4, 2026

View on NVD All CVEs

CVSS base score

8.9/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N/R:U/V:C/RE:H/U:Amber

What the vulnerability does

Description

Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue.

Key dates

Disclosure timeline

November 18, 2024 CVE published

May 4, 2026 Record updated