Such a development comes just after organizations with SonicWall Firewall Gen 5, Gen 6, and Gen 7 devices were advised by SonicWall to immediately apply issued fixes amid potential in-the-wild exploitation of the flaw, which also affects firewalls' SSLVPN functionality.
Such a vulnerability evades fixes issued for previous OFBiz bugs, tracked as CVE-2024-38856, CVE-2024-36104, and CVE-2024-32113, all of which have resulted from a fragmentation issue within the controller-view map that could allow unauthenticated remote code or SQL query execution, according to Rapid7 security researchers.
Exploitation of the flaw, which stems from LiteSpeed Cache's debug logging functionality, could be conducted by attackers with '/wp-content/debug.log' file access to exfiltrate users' session cookies, spoof admin users, and takeover websites.
Individuals' full names, birthdates, phone numbers, ID numbers, email addresses, home addresses, vehicle identification numbers, car brands and models, engine numbers, and vehicle colors were leaked by the unsecured Elasticsearch instance.
Threat actors could leverage CVE-2024-20439 via static credentials to facilitate the compromise of targeted systems with administrative privileges while intrusions involving CVE-2024-20440 could enable the acquisition of log files with credentials and other sensitive details.