Critical Apache OFBiz Flaw (CVE-2025-59118) Allows Remote Command Execution via Unrestricted File Upload
Ddos 
The Apache Software Foundation (ASF) has released an important security update for Apache OFBiz, its open-source enterprise resource planning (ERP) platform, addressing two newly disclosed vulnerabilities — a remote command execution flaw and a reflected cross-site scripting (XSS) issue — both affecting all versions prior to 24.09.03.
The most severe of the two, CVE-2025-59118, is classified as an Unrestricted Upload of File with Dangerous Type vulnerability.
This flaw allows remote attackers to upload arbitrary files — such as malicious scripts — to the server without proper validation or sanitization, potentially enabling remote command execution (RCE) under the context of the running service.
“Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz.” the ASF advisory warns.
Attackers exploiting this flaw could gain complete control over the underlying operating system, execute arbitrary commands, deploy web shells, or pivot deeper into enterprise networks where OFBiz is integrated with critical business systems.
The second flaw, CVE-2025-61623, is a reflected XSS vulnerability that allows attackers to inject malicious JavaScript into the browser of unsuspecting users via manipulated URLs or crafted input parameters.
“Reflected cross-site scripting vulnerability in Apache OFBiz.” according to the advisory.
If exploited, attackers could steal session cookies, impersonate users, or perform unauthorized actions within OFBiz’s web management console.
Given OFBiz’s role in managing sensitive enterprise workflows — from accounting and e-commerce to inventory — the potential impact includes data leakage, credential theft, and session hijacking.
Although XSS typically requires some form of user interaction, such as clicking a malicious link, the threat remains high in multi-user administrative environments, especially when combined with social engineering or phishing campaigns.
ASF strongly urges immediate upgrades, noting that version 24.09.03 fully mitigates the issue.
Related Posts:
- Unrestricted Access: A Simple Web Misconfiguration Exposes Critical Data
- HashiCorp Vault Flaw (CVE-2024-759): Unrestricted SSH Access Threatens System Security
- Actively Exploited Apache OFBiz Flaw Triggers Urgent Security Alert
- PoC Exploit Released for Apache OFBiz Remote Code Execution Flaw (CVE-2024-38856)
- CVE-2024-38856: Critical Apache OFBiz Flaw Opens Door to Unauthorized Code Execution
Donate