BleepingComputer reports that updates have been provided by Apache to address a critical flaw in its open-source enterprise resource planning system OFBiz, tracked as CVE-2024-45195, which could be leveraged to facilitate arbitrary code execution on Windows and Linux servers.
Such a vulnerability evades fixes issued for previous OFBiz bugs, tracked as CVE-2024-38856, CVE-2024-36104, and CVE-2024-32113, all of which have resulted from a fragmentation issue within the controller-view map that could allow unauthenticated remote code or SQL query execution, according to Rapid7 security researchers, who also provided a proof-of-concept exploit for the latest flaw. "An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server," said Rapid7 researcher Ryan Emmons. The development comes nearly a month after the discovery of attacks leveraging CVE-2024-32113, prompting its inclusion into the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog.