mbadanoiu / MAL-003

MAL-003: Groovy Security Bypass and Stored XSS in Apache OfBiz

0-day bypass groovy stored-xss cross-site-scripting authenticated remote-code-execution

MAL-003: Groovy Security Bypass and Stored XSS in Apache OfBiz

A Groovy RCE and XSS have been identified in Apache OfBiz <= 18.12.05.

Why no CVE?

Apache OfBiz does not create CVEs for "post-auth attacks done using demo credentials, notably using the admin user" as mentioned on their security page.

Requirements:

This vulnerability requires:

Valid user credentials

Proof Of Concept:

More details and the exploitation process can be found in this PDF.

About

MAL-003: Groovy Security Bypass and Stored XSS in Apache OfBiz

0-day bypass groovy stored-xss cross-site-scripting authenticated remote-code-execution