A Groovy RCE and XSS have been identified in Apache OfBiz <= 18.12.05.
Apache OfBiz does not create CVEs for "post-auth attacks done using demo credentials, notably using the admin user" as mentioned on their security page.
This vulnerability requires:
- Valid user credentials
More details and the exploitation process can be found in this PDF.