Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users' order details via manipulation of the query parameter userId.
CVSS Score
8.2
EPSS Score
0.001
Published
2026-01-12
Multiple Cross-Site Scripting (XSS) vulnerabilities exist in xmall v1.1 due to improper handling of user-supplied data. User input fields such as username and description are directly rendered into HTML without proper sanitization or encoding, allowing attackers to inject and execute malicious scripts.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-11-29
Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index.
CVSS Score
9.8
EPSS Score
0.003
Published
2025-05-05
An issue in Erick xmall v.1.1 and before allows a remote attacker to escalate privileges via the updateAddress method of the Address Controller class.
CVSS Score
9.8
EPSS Score
0.01
Published
2025-04-15
xmall v1.1 was discovered to contain a SQL injection vulnerability via the orderDir parameter.
CVSS Score
9.8
EPSS Score
0.816
Published
2024-02-06
A Cross Site Scripting (XSS) vulnerability exists in Exrick XMall Admin Panel as of 11/7/2021 via the GET parameter in product-add.jsp.
CVSS Score
6.1
EPSS Score
0.003
Published
2022-04-07