Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Nopcommerce Subscribe
Total 14 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-26954 1 Nopcommerce 1 Nopcommerce 2022-10-21 N/A 6.1 MEDIUM
Multiple open redirect vulnerabilities in NopCommerce 4.10 through 4.50.1 allow remote attackers to conduct phishing attacks by redirecting users to attacker-controlled web sites via the returnUrl parameter, processed by the (1) ChangePassword function, (2) SignInCustomerAsync function, (3) SuccessfulAuthentication method, or (4) NopRedirectResultExecutor class.
CVE-2022-33077 1 Nopcommerce 1 Nopcommerce 2022-10-20 N/A 7.5 HIGH
An access control issue in nopcommerce v4.50.2 allows attackers to arbitrarily modify any customer's address via the addressedit endpoint.
CVE-2022-27461 1 Nopcommerce 1 Nopcommerce 2022-05-12 5.8 MEDIUM 6.1 MEDIUM
In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce page by clicking on a crafted link.
CVE-2022-28451 1 Nopcommerce 1 Nopcommerce 2022-05-10 5.0 MEDIUM 7.5 HIGH
nopCommerce 4.50.1 is vulnerable to Directory Traversal via the backup file in the Maintenance feature.
CVE-2022-28448 1 Nopcommerce 1 Nopcommerce 2022-05-04 3.5 LOW 5.4 MEDIUM
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). An attacker (role customer) can inject javascript code to First name or Last name at Customer Info.
CVE-2022-28449 1 Nopcommerce 1 Nopcommerce 2022-05-04 4.3 MEDIUM 6.1 MEDIUM
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). At Apply for vendor account feature, an attacker can upload an arbitrary file to the system.
CVE-2022-28450 1 Nopcommerce 1 Nopcommerce 2022-05-04 3.5 LOW 5.4 MEDIUM
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS) via the "Text" parameter (forums) when creating a new post, which allows a remote attacker to execute arbitrary JavaScript code at client browser.
CVE-2021-26916 1 Nopcommerce 1 Nopcommerce 2021-02-11 4.3 MEDIUM 6.1 MEDIUM
In nopCommerce 4.30, a Reflected XSS issue in the Discount Coupon component allows remote attackers to inject arbitrary web script or HTML through the Filters/CheckDiscountCouponAttribute.cs discountcode parameter.
CVE-2020-29475 1 Nopcommerce 1 Store 2020-12-30 3.5 LOW 4.8 MEDIUM
nopCommerce Store 4.30 is affected by cross-site scripting (XSS) in the Schedule tasks name field. This vulnerability can allow an attacker to inject the XSS payload in Schedule tasks and each time any user will go to that page of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
CVE-2019-19683 1 Nopcommerce 1 Nopcommerce 2019-12-17 9.0 HIGH 9.1 CRITICAL
RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to ../ path traversal via d or f to Admin/RoxyFileman/ProcessRequest because of Libraries/Nop.Services/Media/RoxyFileman/FileRoxyFilemanService.cs.
CVE-2019-19685 1 Nopcommerce 1 Nopcommerce 2019-12-17 6.8 MEDIUM 8.8 HIGH
RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF because GET requests can be used for renames and deletions.
CVE-2019-19684 1 Nopcommerce 1 Nopcommerce 2019-12-11 6.5 MEDIUM 8.8 HIGH
nopCommerce v4.2.0 allows privilege escalation via file upload in Presentation/Nop.Web/Admin/Areas/Controllers/PluginController.cs via Admin/FacebookAuthentication/Configure because it is possible to upload a crafted Facebook Auth plugin.
CVE-2019-19682 1 Nopcommerce 1 Nopcommerce 2019-12-10 3.5 LOW 4.8 MEDIUM
nopCommerce through 4.20 allows XSS in the SaveStoreMappings of the components \Presentation\Nop.Web\Areas\Admin\Controllers\NewsController.cs and \Presentation\Nop.Web\Areas\Admin\Controllers\BlogController.cs via Body or Full to Admin/News/NewsItemEdit/[id] Admin/Blog/BlogPostEdit/[id]. NOTE: the vendor reportedly considers this a "feature" because the affected components are an HTML content editor.
CVE-2019-11519 1 Nopcommerce 1 Nopcommerce 2019-05-01 4.0 MEDIUM 4.9 MEDIUM
Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen.