A zero-day security flaw has been discovered in the Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system, that could allow attackers to bypass authentication protections. The vulnerability, known as CVE-2023-51467, is a result of an incomplete patch for another critical vulnerability (CVE-2023-49070) that was released earlier this month. The root issue was left intact during the patch, allowing the authentication bypass to still be present. CVE-2023-49070 is a pre-authenticated remote code execution flaw that could give threat actors full control over the server and access sensitive data. CVE-2023-51467 can be triggered using empty or invalid USERNAME and PASSWORD parameters in an HTTP request, allowing unauthorized access to internal resources. The vulnerability allows attackers to achieve a simple Server-Side Request Forgery (SSRF). Users of Apache OfBiz are advised to update to version 18.12.11 or later to mitigate potential threats.
Source link
