CVE-2019-12426: 
Apache OFBiz vulnerability analysis and mitigation

CVE-2019-12426 is an information disclosure vulnerability discovered in Apache OFBiz versions 16.11.01 through 16.11.06. The vulnerability was initially recorded on May 28, 2019, and publicly disclosed on February 6, 2020. The issue allows unauthenticated users to access information from backend screens by invoking the setSessionLocale function (NVD, CVE MITRE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. Under CVSS v2.0, it received a Base Score of 5.0 (Medium) with the vector (AV:N/AC:L/Au:N/C:P/I:N/A:N). The vulnerability specifically involves the setSessionLocale functionality that could be exploited by unauthenticated users to gain unauthorized access to backend information (NVD).

The vulnerability allows unauthorized access to backend screen information, potentially exposing sensitive system data to unauthenticated users. The CVSS scores indicate that while the vulnerability has network-level access vector and requires low attack complexity, it primarily impacts confidentiality with no effects on integrity or availability (NVD).

The vulnerability has been fixed in Apache OFBiz version 16.11.07. Users running affected versions (16.11.01 to 16.11.06) should upgrade to the patched version to mitigate the vulnerability (Apache Advisory).