Threat actors could leverage a new critical zero-day vulnerability impacting the open-source enterprise resource planning system Apache OFBiz, tracked as CVE-2024-38856, to facilitate remote code execution, according to The Hacker News.
Such a security issue — which is a patch bypass for the already addressed path traversal flaw, tracked as CVE-2024-36104 — stems from an authentication mechanism vulnerability enabling unauthenticated access to critical endpoints, showed an analysis from SonicWall, which identified and reported the bug. "Unauthenticated access was allowed to the ProgramExport endpoint by chaining it with any other endpoints that do not require authentication by abusing the override view functionality," said SonicWall researcher Hasib Vhora. Attackers had exploited another critical OFBiz path traversal flaw, tracked as CVE-2024-32113, to facilitate Mirai botnet delivery. Both developments come months after SonicWall reported a critical OFBiz bug, tracked as CVE-2023-51467, which has since been subjected to widespread exploitation attempts.
