Nopcommerce: >> Nopcommerce Security Vulnerabilities
In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce page by clicking on a crafted link.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-05-04
nopCommerce 4.50.1 is vulnerable to Directory Traversal via the backup file in the Maintenance feature.
CVSS Score
7.5
EPSS Score
0.007
Published
2022-05-02
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). At Apply for vendor account feature, an attacker can upload an arbitrary file to the system.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-04-26
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS) via the "Text" parameter (forums) when creating a new post, which allows a remote attacker to execute arbitrary JavaScript code at client browser.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-04-26
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). An attacker (role customer) can inject javascript code to First name or Last name at Customer Info.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-04-26
In nopCommerce 4.30, a Reflected XSS issue in the Discount Coupon component allows remote attackers to inject arbitrary web script or HTML through the Filters/CheckDiscountCouponAttribute.cs discountcode parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-02-08
nopCommerce through 4.20 allows XSS in the SaveStoreMappings of the components \Presentation\Nop.Web\Areas\Admin\Controllers\NewsController.cs and \Presentation\Nop.Web\Areas\Admin\Controllers\BlogController.cs via Body or Full to Admin/News/NewsItemEdit/[id] Admin/Blog/BlogPostEdit/[id]. NOTE: the vendor reportedly considers this a "feature" because the affected components are an HTML content editor.
CVSS Score
4.8
EPSS Score
0.002
Published
2019-12-09
RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to ../ path traversal via d or f to Admin/RoxyFileman/ProcessRequest because of Libraries/Nop.Services/Media/RoxyFileman/FileRoxyFilemanService.cs.
CVSS Score
9.1
EPSS Score
0.006
Published
2019-12-09
nopCommerce v4.2.0 allows privilege escalation via file upload in Presentation/Nop.Web/Admin/Areas/Controllers/PluginController.cs via Admin/FacebookAuthentication/Configure because it is possible to upload a crafted Facebook Auth plugin.
CVSS Score
8.8
EPSS Score
0.004
Published
2019-12-09
RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF because GET requests can be used for renames and deletions.
CVSS Score
8.8
EPSS Score
0.001
Published
2019-12-09