Impact
This vulnerability allows an authenticated user with low privileges to gain higher privileges by bypassing authorization checks on updateOrRemove operations. The flaw is a classic authorization bypass, classified as CWE‑285. Attackers can elevate their access rights without needing additional privileges, potentially compromising the entire system.
Affected Systems
Apache Software Foundation’s Apache OFBiz, versions earlier than 24.09.07. The application defaults to a low privilege user that can exploit the flaw to step up privileges.
Risk and Exploitability
The CVSS score of 8.8 indicates a high severity, and the EPSS score is below 1% with no KEV listing, suggesting limited current exploitation evidence. Nonetheless, exploitation is straightforward for any authenticated user: send a request to the vulnerable updateOrRemove endpoint and obtain elevated rights. An attacker can then perform any action permitted by the higher privilege level. The risk is high because it removes the distinction between low‑ and high‑level users within the application.
OpenCVE Enrichment