Nopcommerce: >> Nopcommerce >> 4.50.1 Security Vulnerabilities
Multiple open redirect vulnerabilities in NopCommerce 4.10 through 4.50.1 allow remote attackers to conduct phishing attacks by redirecting users to attacker-controlled web sites via the returnUrl parameter, processed by the (1) ChangePassword function, (2) SignInCustomerAsync function, (3) SuccessfulAuthentication method, or (4) NopRedirectResultExecutor class.
CVSS Score
6.1
EPSS Score
0.001
Published
2022-10-20
An access control issue in nopcommerce v4.50.2 allows attackers to arbitrarily modify any customer's address via the addressedit endpoint.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-10-19
In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce page by clicking on a crafted link.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-05-04
nopCommerce 4.50.1 is vulnerable to Directory Traversal via the backup file in the Maintenance feature.
CVSS Score
7.5
EPSS Score
0.008
Published
2022-05-02
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). At Apply for vendor account feature, an attacker can upload an arbitrary file to the system.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-04-26
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS) via the "Text" parameter (forums) when creating a new post, which allows a remote attacker to execute arbitrary JavaScript code at client browser.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-04-26
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). An attacker (role customer) can inject javascript code to First name or Last name at Customer Info.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-04-26