Code Injection Vulnerability in Apache OFBiz Scrum Plugin
CVE-2025-54466

6.3MEDIUM

Key Information:

Vendor

Apache
Status
Apache Ofbiz
Vendor
CVE Published:
15 August 2025

What is CVE-2025-54466?

A code injection vulnerability in the Apache OFBiz scrum plugin can lead to remote code execution (RCE) by unauthenticated attackers. This issue affects versions of Apache OFBiz prior to 24.09.02, making it critical for users of the scrum plugin to update to the latest version to protect their systems against potential exploitation.

Affected Version(s)

Apache OFBiz 0 < 24.09.02

References

https://ofbiz.apache.org/download.html
mitigation
https://ofbiz.apache.org/security.html
related
https://ofbiz.apache.org/release-notes-24.09.02.html
release-notes

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Teeramet Eakwilai <teeramet@datafarm.co.th>
Thanasin Luangpipat
Jarukit Auikritskul
JSON
.