CVE-2025-54466 | THREATINT

Description

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability. Users are recommended to upgrade to version 24.09.02, which fixes the issue.

PUBLISHED Reserved 2025-07-23 | Published 2025-08-15 | Updated 2025-08-19 | Assigner apache

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status

unaffected

Any version before 24.09.02

affected

Credits

Teeramet Eakwilai <teeramet@datafarm.co.th> finder

Thanasin Luangpipat finder

Jarukit Auikritskul finder

References

ofbiz.apache.org/download.html mitigation

ofbiz.apache.org/security.html related

ofbiz.apache.org/release-notes-24.09.02.html release-notes

issues.apache.org/jira/browse/OFBIZ-13276 issue-tracking

lists.apache.org/thread/14d0yd9co9gx2mctd3vyz1cc8d39n915 vendor-advisory

cve.org (CVE-2025-54466)

nvd.nist.gov (CVE-2025-54466)

Download JSON

help @ threatint.eu