CVE-2025-54466

Apache OFBiz: RCE Vulnerability in scrum plugin

CVSS 6.3 MEDIUMEPSS 14.0%CWE-94

Vexday Risk Score

18Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 6.3EPSS 14.0%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

15 ago 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability. Users are recommended to upgrade to version 24.09.02, which fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Productos afectados

Apache Software Foundation · Apache OFBiz

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://issues.apache.org/jira/browse/OFBIZ-13276 https://lists.apache.org/thread/14d0yd9co9gx2mctd3vyz1cc8d39n915 https://ofbiz.apache.org/download.html https://ofbiz.apache.org/release-notes-24.09.02.html https://ofbiz.apache.org/security.html http://www.openwall.com/lists/oss-security/2025/08/05/1