QID 731068

Apache OFBiz is an open source enterprise resource planning system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise. Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an URI call without authorizations. The same URI can be operated to realize a SSRF attack without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.

Affected Versions:
Apache OFBiz version prior to version 18.12.11.

QID Detection Logic :
This QID sends a crafted payload as an HTTP POST request to the '/partymgr/control/getJSONuiLabel' and '/partymgr/control/getJSONuiLabelArray/ endpoints and checks for a callback on the scanner. Please note that this QID relies on a callback to the scanner on a random port. The target must be enabled to connect back to any random port on the scannner.

Successful exploitation of this vulnerability could lead to unauthorized access, data exposure, and potential access of internal systems or services.