CVE-2023-36288
https://notcve.org/view.php?id=CVE-2023-36288
An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via GET configure parameter. • https://flashy-lemonade-192.notion.site/Cross-site-scripting-in-admin-dashboard-via-configure-parameter-in-QloApps-1-6-0-b6303661ac6a47e4b7a6f23cf2818a52?pvs=4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-2925 – Webkul krayin crm Edit Person Page 2 cross site scripting
https://notcve.org/view.php?id=CVE-2023-2925
A vulnerability, which was classified as problematic, was found in Webkul krayin crm 1.2.4. This affects an unknown part of the file /admin/contacts/organizations/edit/2 of the component Edit Person Page. The manipulation of the argument Organization leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://drive.google.com/file/d/1t7JwP0Qyo6ye-2dt6XhA1ENHDwsnYjD3/view?usp=sharing https://vuldb.com/?ctiid.230079 https://vuldb.com/?id.230079 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-30256 – Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-30256
Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create parameters in the AuthController.php file. Webkul Qloapps version 1.5.2 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/51465 https://github.com/ahrixia/CVE-2023-30256 http://packetstormsecurity.com/files/172542/Webkul-Qloapps-1.5.2-Cross-Site-Scripting.html https://github.com/webkul/hotelcommerce https://qloapps.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-41924
https://notcve.org/view.php?id=CVE-2021-41924
Webkul krayin crm before 1.2.2 is vulnerable to Cross Site Scripting (XSS). Webkul krayin crm versiones anteriores a 1.2.2, es vulnerable a un ataque de tipo Cross Site Scripting (XSS) • https://github.com/krayin/laravel-crm/pull/195/commits/882dc2e7e7e9149b96cf1ccacf34900960b92fb7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-16403
https://notcve.org/view.php?id=CVE-2019-16403
In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers. En Webkul Bagisto en versiones anteriores a la 0.1.5, las funcionalidades para que los clientes cambien sus propios valores (como dirección, revisión, pedidos, etc.) también pueden ser manipuladas por otros clientes. • https://github.com/bagisto/bagisto/issues/749 • CWE-639: Authorization Bypass Through User-Controlled Key •