CVE-2021-41672
https://notcve.org/view.php?id=CVE-2021-41672
PEEL Shopping CMS 9.4.0 is vulnerable to authenticated SQL injection in utilisateurs.php. A user that belongs to the administrator group can inject a malicious SQL query in order to affect the execution logic of the application and retrive information from the database. PEEL Shopping CMS versión 9.4.0, es vulnerable a una inyección SQL autenticada en el archivo utilisateurs.php. Un usuario que pertenezca al grupo de administradores puede inyectar una consulta SQL maliciosa para afectar a la lógica de ejecución de la aplicación y recuperar información de la base de datos • http://peel.com https://github.com/advisto/peel-shopping/issues/5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-37593 – PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection
https://notcve.org/view.php?id=CVE-2021-37593
PEEL Shopping version 9.4.0 allows remote SQL injection. A public user/guest (unauthenticated) can inject a malicious SQL query in order to affect the execution of predefined SQL commands. Upon a successful SQL injection attack, an attacker can read sensitive data from the database and possibly modify database data. La versión 9.4.0 de PEEL Shopping permite una inyección SQL remota. Un usuario/huésped (no autenticado) puede inyectar una consulta SQL maliciosa para afectar la ejecución de comandos SQL predefinidos. • https://www.exploit-db.com/exploits/50142 http://www.netbytesec.com/advisories/UnauthenticatedBlindSQLInjectionVulnerabilityInPEELShopping https://github.com/advisto/peel-shopping/issues/3 https://github.com/faisalfs10x/CVE-IDs/blob/main/2021/CVE-2021-37593/Proof_of_Concept.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-27190
https://notcve.org/view.php?id=CVE-2021-27190
A Stored Cross Site Scripting(XSS) Vulnerability was discovered in PEEL SHOPPING 9.3.0 and 9.4.0, which are publicly available. The user supplied input containing polyglot payload is echoed back in javascript code in HTML response. This allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc. Se detectó una vulnerabilidad de Cross Site Scripting(XSS) almacenada en PEEL SHOPPING versiones 9.3.0 y 9.4.0, que están disponibles públicamente. La entrada suministrada por el usuario que contiene la carga útil de políglota se devuelve en código javascript en la respuesta HTML. • https://github.com/anmolksachan/CVE-2021-27190-PEEL-Shopping-cart-9.3.0-Stored-XSS https://github.com/advisto/peel-shopping/issues/4#issuecomment-953461611 https://github.com/vulf/Peel-Shopping-cart-9.4.0-Stored-XSS https://www.peel-shopping.com/modules/telechargement/telecharger.php?id=7 https://www.secuneus.com/cve-2021-27190-peel-shopping-ecommerce-shopping-cart-stored-cross-site-scripting-vulnerability-in-address • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-20178
https://notcve.org/view.php?id=CVE-2019-20178
Advisto PEEL Shopping 9.2.1 has CSRF via administrer/utilisateurs.php to delete a user. Advisto PEEL Shopping versión 9.2.1, presenta una vulnerabilidad de tipo CSRF por medio del archivo administrer/utilisateurs.php para eliminar un usuario. • https://medium.com/%40Pablo0xSantiago/cve-2019-20178-peel-shopping-ecommerce-shopping-cart-9-2-1-cross-site-request-forgery-17fc49ab5a65 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2018-20848
https://notcve.org/view.php?id=CVE-2018-20848
Advisto PEEL SHOPPING 9.0.0 has CSRF via en/achat/caddie_ajout.php and en/achat/caddie_affichage.php, as demonstrated by an XSS payload in the couleurId[0] parameter to the latter. Advisto PEEL SHOPPING versión 9.0.0, presenta un problema de tipo CSRF por medio de los archivos en/achat/caddie_ajout.php y en/achat/caddie_affichage.php, como es demostrado por una carga útil XSS en el parámetro couleurId[0] para este último. • https://packetstormsecurity.com/files/147467/Peel-Shopping-Cart-9.0.0-Cross-Site-Request-Forgery-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •