Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mbadanoiu/mal-003

MAL-003: Groovy Security Bypass and Stored XSS in Apache OfBiz
https://github.com/mbadanoiu/mal-003

0-day authenticated bypass cross-site-scripting groovy remote-code-execution stored-xss

Last synced: about 1 month ago
JSON representation

MAL-003: Groovy Security Bypass and Stored XSS in Apache OfBiz

Host: GitHub
URL: https://github.com/mbadanoiu/mal-003
Owner: mbadanoiu
Created: 2024-02-16T18:55:33.000Z (9 months ago)
Default Branch: main
Last Pushed: 2024-02-16T19:11:53.000Z (9 months ago)
Last Synced: 2024-10-12T19:00:13.149Z (about 1 month ago)
Topics: 0-day, authenticated, bypass, cross-site-scripting, groovy, remote-code-execution, stored-xss
Homepage:
Size: 802 KB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# MAL-003: Groovy Security Bypass and Stored XSS in Apache OfBiz

A Groovy RCE and XSS have been identified in Apache OfBiz <= 18.12.05.

### Why no CVE?

[Apache OfBiz](https://ofbiz.apache.org/) does not create CVEs for "post-auth attacks done using demo credentials, notably using the admin user" as mentioned on their [security page](https://ofbiz.apache.org/security.html).

### Requirements:

This vulnerability requires:

- Valid user credentials

### Proof Of Concept:

More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/MAL-003/blob/main/Apache%20OfBiz%20-%20MAL-003.pdf).