CVEDB API

Vulnerabilities

Vulnerable Software

Nopcommerce: Security Vulnerabilities

CVE-2019-19683

RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to ../ path traversal via d or f to Admin/RoxyFileman/ProcessRequest because of Libraries/Nop.Services/Media/RoxyFileman/FileRoxyFilemanService.cs.

CVSS Score

9.1

EPSS Score

0.006

Published

2019-12-09

CVE-2019-19684

nopCommerce v4.2.0 allows privilege escalation via file upload in Presentation/Nop.Web/Admin/Areas/Controllers/PluginController.cs via Admin/FacebookAuthentication/Configure because it is possible to upload a crafted Facebook Auth plugin.

CVSS Score

8.8

EPSS Score

0.004

Published

2019-12-09

CVE-2019-19685

RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF because GET requests can be used for renames and deletions.

CVSS Score

8.8

EPSS Score

0.001

Published

2019-12-09

CVE-2019-11519

Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen.

CVSS Score

4.9

EPSS Score

0.003

Published

2019-04-25

Page 2

Vulnerabilities

Vulnerable Software

Nopcommerce: Security Vulnerabilities

Products

Pricing

Contact Us