Vulnerabilities > Nopcommerce

DATE CVE VULNERABILITY TITLE RISK
2022-10-20 CVE-2022-26954 Open Redirect vulnerability in Nopcommerce
Multiple open redirect vulnerabilities in NopCommerce 4.10 through 4.50.1 allow remote attackers to conduct phishing attacks by redirecting users to attacker-controlled web sites via the returnUrl parameter, processed by the (1) ChangePassword function, (2) SignInCustomerAsync function, (3) SuccessfulAuthentication method, or (4) NopRedirectResultExecutor class.
network
low complexity
nopcommerce CWE-601
6.1
2022-10-19 CVE-2022-33077 Authorization Bypass Through User-Controlled Key vulnerability in Nopcommerce
An access control issue in nopcommerce v4.50.2 allows attackers to arbitrarily modify any customer's address via the addressedit endpoint.
network
low complexity
nopcommerce CWE-639
7.5
2022-05-04 CVE-2022-27461 Open Redirect vulnerability in Nopcommerce
In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce page by clicking on a crafted link.
network
low complexity
nopcommerce CWE-601
6.1
2022-05-02 CVE-2022-28451 Path Traversal vulnerability in Nopcommerce 4.50.1
nopCommerce 4.50.1 is vulnerable to Directory Traversal via the backup file in the Maintenance feature.
network
low complexity
nopcommerce CWE-22
7.5
2022-04-26 CVE-2022-28449 Cross-site Scripting vulnerability in Nopcommerce 4.50.1
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS).
network
low complexity
nopcommerce CWE-79
6.1
2022-04-26 CVE-2022-28450 Cross-site Scripting vulnerability in Nopcommerce 4.50.1
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS) via the "Text" parameter (forums) when creating a new post, which allows a remote attacker to execute arbitrary JavaScript code at client browser.
network
low complexity
nopcommerce CWE-79
5.4
2022-04-26 CVE-2022-28448 Cross-site Scripting vulnerability in Nopcommerce 4.50.1
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS).
network
low complexity
nopcommerce CWE-79
5.4
2021-02-08 CVE-2021-26916 Cross-site Scripting vulnerability in Nopcommerce 4.30
In nopCommerce 4.30, a Reflected XSS issue in the Discount Coupon component allows remote attackers to inject arbitrary web script or HTML through the Filters/CheckDiscountCouponAttribute.cs discountcode parameter.
network
low complexity
nopcommerce CWE-79
6.1
2020-12-29 CVE-2020-29475 Cross-site Scripting vulnerability in Nopcommerce Store 4.30
nopCommerce Store 4.30 is affected by cross-site scripting (XSS) in the Schedule tasks name field.
network
low complexity
nopcommerce CWE-79
4.8
2019-12-09 CVE-2019-19685 Cross-Site Request Forgery (CSRF) vulnerability in Nopcommerce 4.20
RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF because GET requests can be used for renames and deletions.
network
low complexity
nopcommerce CWE-352
8.8