CVE-2024-45195 Apache OFBiz Forced Browsing

Read more about “CVE-2024-45195 Apache OFBiz Forced Browsing Vulnerability” and the most important cybersecurity news to stay up to date with

CVE-2024-45195 is a critical security vulnerability identified in Apache OFBiz, an open-source enterprise resource planning (ERP) system. This vulnerability allows unauthenticated attackers to execute arbitrary code on affected systems by exploiting missing authorization checks within the web application. The issue arises from a ‘Forced Browsing’ flaw, where unauthorized users can access restricted areas of the application. Apache OFBiz versions prior to 18.12.16 are affected. Users are strongly advised to upgrade to version 18.12.16 or later to mitigate this vulnerability.

What is Vulnerable to CVE-2024-45195

All instances of Apache OFBiz versions before 18.12.16 are susceptible to CVE-2024-45195. This includes deployments across various operating systems, such as Linux and Windows. The vulnerability stems from inadequate authorization checks, allowing attackers to access and execute functions intended for authenticated users without proper credentials.

Mitigation and Remediation for CVE-2024-45195

To protect systems from CVE-2024-45195, the following steps are recommended:

  • Upgrade Apache OFBiz: Immediately update to version 18.12.16 or later, where the vulnerability has been addressed.

  • Implement Web Application Firewalls (WAFs): Deploy WAFs to monitor and filter incoming traffic, helping to block malicious requests attempting to exploit this vulnerability.

  • Regular Security Audits: Conduct periodic security assessments to identify and remediate potential vulnerabilities promptly.

  • Access Control Reviews: Ensure that proper authorization checks are in place for all sensitive functionalities within the application.

Impact of Successful Exploitation of CVE-2024-45195

Exploiting CVE-2024-45195 can have severe consequences, including:

  • Unauthorized Data Access: Attackers may retrieve sensitive information, such as user credentials, financial records, and personal data.

  • System Compromise: Execution of arbitrary code can lead to full control over the affected system, allowing installation of malware, data exfiltration, or further network penetration.

  • Operational Disruption: Critical business processes managed by Apache OFBiz could be interrupted, leading to potential financial losses and reputational damage.

Proof of Concept for CVE-2024-45195

A proof of concept (PoC) for CVE-2024-45195 involves crafting a specific HTTP request that exploits the missing authorization checks. For instance, an attacker can send a request to a vulnerable endpoint, such as /webtools/control/forgotPassword/ProgramExport, with a payload designed to execute arbitrary code. This method leverages the application’s inadequate authorization mechanisms to gain unauthorized access and control.


Subscribe to WNE Security’s newsletter for the latest cybersecurity best practices, 0-days, and breaking news. Or learn more about “CVE-2024-45195 Apache OFBiz Forced Browsing Vulnerability”