CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 0CVE-2024-0916 – Unauthenticated Remote Code Execution in UvDesk Community
https://notcve.org/view.php?id=CVE-2024-0916
25 Apr 2024 — Unauthenticated file upload allows remote code execution. This issue affects UvDesk Community: from 1.0.0 through 1.1.3. La carga de archivos no autenticados permite la ejecución remota de código. Este problema afecta a UvDesk Community: desde 1.0.0 hasta 1.1.3. Unauthenticated file upload allows remote code execution. This issue affects UvDesk Community: from 1.0.0 through 1.1.3. • https://github.com/uvdesk/core-framework/pull/706 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36238
https://notcve.org/view.php?id=CVE-2023-36238
13 Mar 2024 — Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.1 allows an attacker to obtain sensitive information via the invoice ID parameter. La referencia directa a objetos inseguros (IDOR) en Bagisto v.1.5.1 permite a un atacante obtener información confidencial a través del parámetro ID de factura. • https://github.com/Ek-Saini/security/blob/main/IDOR-Bagisto • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27499
https://notcve.org/view.php?id=CVE-2024-27499
01 Mar 2024 — Bagisto v1.5.1 is vulnerable for Cross site scripting(XSS) via png file upload vulnerability in product review option. • https://github.com/Ek-Saini/security/blob/main/xss-bagisto-v1.5.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-51210
https://notcve.org/view.php?id=CVE-2023-51210
23 Jan 2024 — SQL injection vulnerability in Webkul Bundle Product 6.0.1 allows a remote attacker to execute arbitrary code via the id_product parameters in the UpdateProductQuantity function. Vulnerabilidad de inyección SQL en Webkul Bundle Product 6.0.1 permite a un atacante remoto ejecutar código arbitrario a través de los parámetros id_product en la función UpdateProductQuantity. • https://medium.com/%40nasir.synack/uncovering-critical-vulnerability-cve-2023-51210-in-prestashop-plugin-bundle-product-pack-ad7fb08bdc91 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-36235
https://notcve.org/view.php?id=CVE-2023-36235
17 Jan 2024 — An issue in webkul qloapps before v1.6.0 allows an attacker to obtain sensitive information via the id_order parameter. Un problema en webkul qloapps anterior a v1.6.0 permite a un atacante obtener información confidencial a través del parámetro id_order. • https://github.com/Ek-Saini/security/blob/main/IDOR-Qloapps • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-36236
https://notcve.org/view.php?id=CVE-2023-36236
16 Jan 2024 — Cross Site Scripting vulnerability in webkil Bagisto v.1.5.0 and before allows an attacker to execute arbitrary code via a crafted SVG file uplad. Vulnerabilidad de cross site scripting en webkil Bagisto v.1.5.0 y anteriores permite a un atacante ejecutar código arbitrario a través de una carga de archivo SVG manipulado. • https://bagisto.com/en • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37636
https://notcve.org/view.php?id=CVE-2023-37636
23 Oct 2023 — A stored cross-site scripting (XSS) vulnerability in UVDesk Community Skeleton v1.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Message field when creating a ticket. Una vulnerabilidad de Cross-Site Scripting (XSS) almacenada en UVDesk Community Skeleton v1.1.1 permite a los atacantes ejecutar scripts web o HTML arbitrarios a través de un payload manipulado que se inyecta en el campo Mensaje al crear un ticket. • https://www.esecforte.com/cve-2023-37636-stored-cross-site-scripting • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 4CVE-2023-39147 – Uvdesk v1.1.3 - File Upload Remote Code Execution (RCE) (Authenticated)
https://notcve.org/view.php?id=CVE-2023-39147
01 Aug 2023 — An arbitrary file upload vulnerability in Uvdesk 1.1.3 allows attackers to execute arbitrary code via uploading a crafted image file. Una vulnerabilidad de carga de archivos arbitrarios en Uvdesk 1.1.3 permite a los atacantes ejecutar código arbitrario mediante la carga de un archivo de imagen manipulado. Uvdesk version 1.1.3 suffers from a remote shell upload vulnerability. • https://packetstorm.news/files/id/173878 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33570
https://notcve.org/view.php?id=CVE-2023-33570
28 Jun 2023 — Bagisto v1.5.1 is vulnerable to Server-Side Template Injection (SSTI). • https://siltonrenato02.medium.com/a-brief-summary-about-a-ssti-to-rce-in-bagisto-e900ac450490 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-36288
https://notcve.org/view.php?id=CVE-2023-36288
23 Jun 2023 — An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via GET configure parameter. • https://flashy-lemonade-192.notion.site/Cross-site-scripting-in-admin-dashboard-via-configure-parameter-in-QloApps-1-6-0-b6303661ac6a47e4b7a6f23cf2818a52?pvs=4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •