CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-1705 – Shopwind Installation DefaultController.php actionCreate code injection
https://notcve.org/view.php?id=CVE-2024-1705
21 Feb 2024 — A vulnerability was found in Shopwind up to 4.6. It has been rated as critical. This issue affects the function actionCreate of the file /public/install/controllers/DefaultController.php of the component Installation. The manipulation leads to code injection. The attack may be initiated remotely. • https://note.zhaoj.in/share/QHdXavkw5eDm • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-43321
https://notcve.org/view.php?id=CVE-2022-43321
09 Nov 2022 — Shopwind v3.4.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the component /common/library/Page.php. Se descubrió que Shopwind v3.4.3 contenía una vulnerabilidad de Cross-Site Scripting (XSS) Reflejada en el componente /common/library/Page.php. • http://yii-shopwind.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-30453
https://notcve.org/view.php?id=CVE-2022-30453
11 May 2022 — ShopWind <= 3.4.2 has a RCE vulnerability in Database.php ShopWind versiones anteriores a 3.4.2, presenta una vulnerabilidad de tipo RCE en el archivo Database.php • https://www.yuque.com/docs/share/9a561b8c-734b-4ab5-b980-e794a457a2e5 •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-30452
https://notcve.org/view.php?id=CVE-2022-30452
11 May 2022 — ShopWind <= v3.4.2 has a Sql injection vulnerability in Database.php ShopWind versiones anteriores a v3.4.2 incluyéndola, presenta una vulnerabilidad de inyección Sql en el archivo Database.php • https://www.yuque.com/docs/share/a4391512-502b-48aa-a31b-a9297daa4f7d • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-30057
https://notcve.org/view.php?id=CVE-2022-30057
11 May 2022 — Shopwind <=v3.4.2 was discovered to contain a stored cross-site scripting (XSS) vulnerability. Se ha detectado que Shopwind versiones anteriores a v3.4.2 incluyéndola, contiene una vulnerabilidad de cross-site scripting (XSS) almacenado • https://www.yuque.com/docs/share/7a16a567-53ce-4350-b983-9775776f2ffe • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-30059
https://notcve.org/view.php?id=CVE-2022-30059
11 May 2022 — Shopwind <=v3.4.2 was discovered to contain a Arbitrary File Delete vulnerability via the neirong parameter at \backend\controllers\DbController.php. Se ha detectado que Shopwind versiones anteriores a v3.4.2 incluyéndola, contiene una vulnerabilidad de Eliminación Arbitraria de Archivos a través del parámetro neirong en el archivo \backend\controllers\DbController.php • https://www.yuque.com/docs/share/a8385d36-8038-4fa2-b15b-48e104774d61 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-30058
https://notcve.org/view.php?id=CVE-2022-30058
11 May 2022 — Shopwind <=v3.4.2 was discovered to contain a Arbitrary File Download vulnerability via the neirong parameter at \backend\controllers\DbController.php. Se ha detectado que Shopwind versiones anteriores a v3.4.2 incluyéndola, contiene una vulnerabilidad de Descarga Arbitraria de Archivos por medio del parámetro neirong en el archivo \backend\controllers\DbController.php • https://www.yuque.com/docs/share/0a4355fa-441f-4073-b147-5079549251c5 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •