CVE-2024-45195

CRITICAL 9.8

⚠️ CISA KEV

Apache OFBiz: Confused controller-view authorization logic (forced browsing)

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.

CWE	CWE-425
Vendor	apache software foundation
Product	apache ofbiz
Published	Sep 4, 2024
Last Updated	Oct 21, 2025

⚠️ Actively Exploited — Act Now

Get instant alerts for apache software foundation apache ofbiz

This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2024-45195.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache OFBiz

0 < 18.12.16

References

NVD ↗ CVE.org ↗ EPSS Data ↗

ofbiz.apache.org: https://ofbiz.apache.org/download.html ofbiz.apache.org: https://ofbiz.apache.org/security.html issues.apache.org: https://issues.apache.org/jira/browse/OFBIZ-13130 lists.apache.org: https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy openwall.com: http://www.openwall.com/lists/oss-security/2024/09/03/6 cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45195

Credits

shin24 from National Cyber Security Vietnam LuanPV from National Cyber Security Vietnam Ryan Emmons, Lead Security Researcher at Rapid7 Hasib Vhora, Senior Threat Researcher, SonicWall Xenc from SGLAB of Legendsec at Qi'anxin Group