Store Security Vulnerabilities

CVE-2022-28991

Multi Store Inventory Management System v1.0 was discovered to contain an information disclosure vulnerability which allows attackers to access sensitive...

CVE-2022-28993

Multi Store Inventory Management System v1.0 allows attackers to perform an account takeover via a crafted POST...

CVE-2022-30396

Merchandise Online Store v1.0 is vulnerable to SQL Injection via...

CVE-2022-30384

Merchandise Online Store v1.0 is vulnerable to SQL Injection via...

CVE-2022-30400

Merchandise Online Store v1.0 is vulnerable to SQL Injection via...

CVE-2022-30402

Merchandise Online Store v1.0 is vulnerable to SQL Injection via...

CVE-2022-30401

Merchandise Online Store v1.0 is vulnerable to SQL Injection via...

CVE-2022-30398

Merchandise Online Store v1.0 is vulnerable to SQL Injection via...

CVE-2022-30395

Merchandise Online Store v1.0 is vulnerable to SQL Injection via...

CVE-2022-30393

Merchandise Online Store v1.0 is vulnerable to SQL Injection via...

CVE-2022-30386

Merchandise Online Store v1.0 is vulnerable to SQL Injection via...

CVE-2022-30399

Merchandise Online Store v1.0 is vulnerable to SQL Injection via...

CVE-2022-30385

Merchandise Online Store v1.0 is vulnerable to SQL Injection via...

CVE-2022-30403

Merchandise Online Store v1.0 is vulnerable to SQL Injection via...

CVE-2022-30392

Merchandise Online Store v1.0 is vulnerable to SQL Injection via...

CVE-2022-30391

Merchandise Online Store v1.0 is vulnerable to SQL Injection via...

CVE-2022-30381

Merchandise Online Store v1.0 is vulnerable to file deletion via...

CVE-2022-30387

Merchandise Online Store v1.0 is vulnerable to SQL Injection via...

CVE-2022-28791

Improper input validation vulnerability in InstallAgent in Galaxy Store prior to version 4.5.41.8 allows attacker to overwrite files stored in a specific path. The patch adds proper protection to prevent overwrite to existing...

CVE-2020-14118

An intent redirection vulnerability in the Mi App Store product. This vulnerability is caused by the Mi App Store does not verify the validity of the incoming data, can cause the app store to automatically download and install...

CVE-2020-14121

A business logic vulnerability exists in Mi App Store. The vulnerability is caused by incomplete permission checks of the products being bypassed, and an attacker can exploit the vulnerability to perform a local silent...

CVE-2022-28544

Path traversal vulnerability in unzip method of InstallAgentCommonHelper in Galaxy store prior to version 4.5.40.5 allows attacker to access the file of Galaxy...

CVE-2022-28776

Improper access control vulnerability in Galaxy Store prior to version 4.5.36.4 allows attacker to install applications from Galaxy Store without user...

CVE-2022-28542

Improper sanitization of incoming intent in Galaxy Store prior to version 4.5.40.5 allows local attackers to access privileged content providers as Galaxy Store...

CVE-2021-24778

The test parameter of the xmlfeed in the Tradetracker-Store WordPress plugin before 4.6.60 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL...

CVE-2022-25394

Medical Store Management System v1.0 was discovered to contain a SQL injection vulnerability via the cid parameter under...

CVE-2022-25395

Cosmetics and Beauty Product Online Store v1.0 was discovered to contain multiple reflected cross-site scripting (XSS) attacks via the search parameter under the /cbpos/...

CVE-2022-25396

Cosmetics and Beauty Product Online Store v1.0 was discovered to contain a SQL injection vulnerability via the search...

CVE-2021-4208

The ExportFeed WordPress plugin through 2.0.1.0 does not sanitise and escape the product_id POST parameter before using it in a SQL statement, leading to a SQL injection vulnerability exploitable by high privilege...

CVE-2021-24867

Numerous Plugins and Themes from the AccessPress Themes (aka Access Keys) vendor are backdoored due to their website being compromised. Only plugins and themes downloaded via the vendor website are affected, and those hosted on wordpress.org are not. However, all of them were updated or removed to....

CVE-2021-25107

The Form Store to DB WordPress plugin before 1.1.1 does not sanitise and escape parameter keys before outputting it back in the created entry, allowing unauthenticated attacker to perform Cross-Site Scripting attacks against...

CVE-2022-0149

The WooCommerce Stored Exporter WordPress plugin before 2.7.1 was affected by a Reflected Cross-Site Scripting (XSS) vulnerability in the woo_ce admin...

CVE-2021-25077

The Store Toolkit for WooCommerce WordPress plugin before 2.3.2 does not sanitise and escape the tab parameter before outputting it back in an admin page in an error message, leading to a Reflected Cross-Site...

CVE-2022-22288

Improper authorization vulnerability in Galaxy Store prior to 4.5.36.5 allows remote app installation of the...

CVE-2021-43155

Projectsworlds Online Book Store PHP v1.0 is vulnerable to SQL injection via the "bookisbn" parameter in...

CVE-2021-43156

In ProjectWorlds Online Book Store PHP 1.0 a CSRF vulnerability in admin_delete.php allows a remote attacker to delete any...

CVE-2021-45105

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue...

CVE-2021-42340

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was...

CVE-2021-39317

A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the /demo-functions.php file or...

CVE-2021-25499

Intent redirection vulnerability in SamsungAccountSDKSigninActivity of Galaxy Store prior to version 4.5.32.4 allows attacker to access content provider of Galaxy...

CVE-2021-24679

The Bitcoin / AltCoin Payment Gateway for WooCommerce WordPress plugin before 1.6.1 does not escape the 's' GET parameter before outputting back in the All Masking Rules page, leading to a Reflected Cross-Site Scripting...

CVE-2021-34645

The Shopping Cart & eCommerce Store WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_currency_settings function found in the ~/admin/inc/wp_easycart_admin_initial_setup.php file which allows attackers to inject arbitrary web scripts, in versions up to and including...

CVE-2021-2351

Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option......

CVE-2021-36374

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives.....

CVE-2021-36373

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were...

CVE-2020-24862

The catID parameter in Pharmacy Medical Store and Sale Point v1.0 has been found to be vulnerable to a Time-Based blind SQL injection via the /medical/inventories.php path which allows attackers to retrieve all...

CVE-2021-24290

There are several endpoints in the Store Locator Plus for WordPress plugin through 5.5.15 that could allow unauthenticated attackers the ability to inject malicious JavaScript into...

CVE-2021-24289

There is functionality in the Store Locator Plus for WordPress plugin through 5.5.14 that made it possible for authenticated users to update their user meta data to become an administrator on any site using the...

CVE-2020-19112

SQL Injection vulnerability in Online Book Store v1.0 via the bookisbn parameter to admin_delete.php, which could let a remote malicious user execute arbitrary...

CVE-2020-19111

Incorrect Access Control vulnerability in Online Book Store v1.0 via admin_verify.php, which could let a remote mailicious user bypass authentication and obtain sensitive...