CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1155 – Webkul QloApps Your Location Search stores cross site scripting
https://notcve.org/view.php?id=CVE-2025-1155
10 Feb 2025 — A vulnerability, which was classified as problematic, was found in Webkul QloApps 1.6.1. This affects an unknown part of the file /stores of the component Your Location Search. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. It is planned to remove this page in the long term. • https://github.com/mano257200/Qloapp-XSS-Vulnerability/tree/main • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2025-1074 – Webkul QloApps URL mylogout cross-site request forgery
https://notcve.org/view.php?id=CVE-2025-1074
06 Feb 2025 — A vulnerability, which was classified as problematic, was found in Webkul QloApps 1.6.1. Affected is the function logout of the file /en/?mylogout of the component URL Handler. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. • https://github.com/mano257200/qloapps-csrf-logout-vulnerability • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 4%CPEs: 1EXPL: 1CVE-2024-11281 – WooCommerce Point of Sale <= 6.1.0 - Insecure Direct Object Reference to Privilege Escalation via Arbitrary User Email Change
https://notcve.org/view.php?id=CVE-2024-11281
24 Dec 2024 — The WooCommerce Point of Sale plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.1.0. This is due to insufficient validation on the 'logged_in_user_id' value when option values are empty and the ability for attackers to change the email of arbitrary user accounts. This makes it possible for unauthenticated attackers to change the email of arbitrary user accounts, including administrators, and reset their password to gain access to the account. El complemento W... • https://github.com/McTavishSue/CVE-2024-11281 • CWE-862: Missing Authorization •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45932
https://notcve.org/view.php?id=CVE-2024-45932
07 Oct 2024 — Krayin CRM v1.3.0 is vulnerable to Cross Site Scripting (XSS) via the organization name field in /admin/contacts/organizations/edit/2. • http://TobeReleased.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46366
https://notcve.org/view.php?id=CVE-2024-46366
27 Sep 2024 — A Client-side Template Injection (CSTI) vulnerability in Webkul Krayin CRM 1.3.0 allows remote attackers to execute arbitrary client-side template code by injecting a malicious payload during the lead creation process. This can lead to privilege escalation when the payload is executed, granting the attacker elevated permissions within the CRM system. • https://gist.github.com/Tommywarren/89cef7f876ee897a4ff40a8b71b6208e • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46367
https://notcve.org/view.php?id=CVE-2024-46367
27 Sep 2024 — A Stored Cross-Site Scripting (XSS) vulnerability in Webkul Krayin CRM 1.3.0 allows remote attackers to inject arbitrary JavaScript code by submitting a malicious payload within the username field. This can lead to privilege escalation when the payload is executed, granting the attacker elevated permissions within the CRM system. • https://gist.github.com/Tommywarren/4ac0c8f6e5d8584accd31b8277e55749 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 6%CPEs: 1EXPL: 1CVE-2024-40318
https://notcve.org/view.php?id=CVE-2024-40318
25 Jul 2024 — An arbitrary file upload vulnerability in Webkul Qloapps v1.6.0.0 allows attackers to execute arbitrary code via uploading a crafted file. • https://github.com/3v1lC0d3/RCE-QloApps-CVE-2024-40318 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-0916 – Unauthenticated Remote Code Execution in UvDesk Community
https://notcve.org/view.php?id=CVE-2024-0916
25 Apr 2024 — Unauthenticated file upload allows remote code execution. This issue affects UvDesk Community: from 1.0.0 through 1.1.3. La carga de archivos no autenticados permite la ejecución remota de código. Este problema afecta a UvDesk Community: desde 1.0.0 hasta 1.1.3. Unauthenticated file upload allows remote code execution. This issue affects UvDesk Community: from 1.0.0 through 1.1.3. • https://github.com/uvdesk/core-framework/pull/706 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27499
https://notcve.org/view.php?id=CVE-2024-27499
01 Mar 2024 — Bagisto v1.5.1 is vulnerable for Cross site scripting(XSS) via png file upload vulnerability in product review option. • https://github.com/Ek-Saini/security/blob/main/xss-bagisto-v1.5.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-51210
https://notcve.org/view.php?id=CVE-2023-51210
23 Jan 2024 — SQL injection vulnerability in Webkul Bundle Product 6.0.1 allows a remote attacker to execute arbitrary code via the id_product parameters in the UpdateProductQuantity function. Vulnerabilidad de inyección SQL en Webkul Bundle Product 6.0.1 permite a un atacante remoto ejecutar código arbitrario a través de los parámetros id_product en la función UpdateProductQuantity. • https://medium.com/%40nasir.synack/uncovering-critical-vulnerability-cve-2023-51210-in-prestashop-plugin-bundle-product-pack-ad7fb08bdc91 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •