CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39319 – aimeos/ai-controller-frontend has IDOR vulnerability in account profile page
https://notcve.org/view.php?id=CVE-2024-39319
26 Sep 2024 — aimeos/ai-controller-frontend is the Aimeos frontend controller package for e-commerce projects. Prior to versions 2024.4.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, an insecure direct object reference allows an attacker to disable subscriptions and reviews of another customer. Versions 2024.4.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15 fix this issue. • https://github.com/aimeos/ai-controller-frontend/commit/2ad5c062a629af374da470a319914c321c9bfee2 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-28380
https://notcve.org/view.php?id=CVE-2021-28380
16 Mar 2021 — The aimeos (aka Aimeos shop and e-commerce framework) extension before 19.10.12 and 20.x before 20.10.5 for TYPO3 allows XSS via a backend user account. La extensión de aimeos (también se conoce como tienda de Aimeos y e-commerce framework) versiones anteriores a 19.10.12 y versiones 20.x anteriores a 20.10.5 para TYPO3, permite un ataque de tipo XSS por medio de una cuenta de usuario de backend • https://typo3.org/security/advisory/typo3-ext-sa-2021-003 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •