BIT-MAGENTO-2021-21016 Magento Commerce Unauthorized Data Modification Could Lead to Arbitrary Code Execution

Magento versions 2.4.1 and earlier, 2.4.0 and earlier and 2.3.6 and earlier are vulnerable to OS command injection via the WebAPI. Successful exploitation could lead to remote code execution by an authenticated attacker. Access to the admin console is required for successful exploitation...

BIT-MAGENTO-2021-21018 Magnto Commerce Unauthorized Data Modification Could Lead To Arbitrary Code Execution

Magento versions 2.4.1 and earlier, 2.4.0 and earlier and 2.3.6 and earlier are vulnerable to OS command injection via the scheduled operation module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successfu...

BIT-MAGENTO-2021-21019 Magento Commerce XML Injection Could Lead To Remote Code Execution

Magento versions 2.4.1 and earlier, 2.4.0 and earlier and 2.3.6 and earlier are vulnerable to XML injection in the Widgets module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation...

BIT-MAGENTO-2021-21023 Magento Commerce Stored Cross Site Scripting Vulnerability Could Lead To Arbitrary Code Execution

Magento versions 2.4.1 and earlier, 2.4.0 and earlier and 2.3.6 and earlier are vulnerable to a stored cross-site scripting vulnerability in the admin console. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for...

BIT-MAGENTO-2021-21025 Magento Commerce XML Injection Could Lead To Arbitrary Code Execution

Magento versions 2.4.1 and earlier, 2.4.0 and earlier and 2.3.6 and earlier are vulnerable to XML injection in the product layout updates. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitati...

BIT-MAGENTO-2021-21026 Magento Commerce Incorrect permissions Could Lead To Unauthorized Access

Magento versions 2.4.1 and earlier, 2.4.0 and earlier and 2.3.6 and earlier are affected by an improper authorization vulnerability in the integrations module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin...

BIT-MAGENTO-2021-21027 Magento Commerce Cross-Site Request Forgery (CSRF) Could Lead To Unauthorized Data Modification

Magento versions 2.4.1 and earlier, 2.4.0 and earlier and 2.3.6 and earlier are affected by a cross-site request forgery CSRF vulnerability via the GraphQL API. Successful exploitation could lead to unauthorized modification of customer metadata by an unauthenticated attacker. Access to the admin...

BIT-MAGENTO-2021-21031 Magento Commerce Failure To Invalidate User Session Could Lead To Unauthorized Access

Magento versions 2.4.1 and earlier, 2.4.0 and earlier and 2.3.6 and earlier do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation...

BIT-MAGENTO-2021-21032 Magento Commerce Failure To Invalidate User Session Could Lead To Unauthorized Access

Magento versions 2.4.1 and earlier, 2.4.0 and earlier and 2.3.6 and earlier do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation...

BIT-MAGENTO-2021-28563 Magento Commerce improper Authorization via the 'Create Customer' endpoint

Magento versions 2.4.2 and earlier, 2.4.1 and earlier and 2.3.6 and earlier are affected by an Improper Authorization vulnerability via the 'Create Customer' endpoint. Successful exploitation could lead to unauthorized modification of customer data by an unauthenticated attacker. Access to the...

BIT-MAGENTO-2021-28566 Magento Commerce information disclosure during upload action leveraging a specially crafted file

Magento versions 2.4.2 and earlier, 2.4.1 and earlier and 2.3.6 and earlier are vulnerable to an Information Disclosure vulnerability when uploading a modified png file to a product image. Successful exploitation could lead to the disclosure of document root path by an unauthenticated attacker...

BIT-MAGENTO-2021-28567 Magento Commerce improper authorization allows an authenticated user to perform certain functions without permission

Magento versions 2.4.2 and earlier, 2.4.1 and earlier and 2.3.6 and earlier are vulnerable to an Improper Authorization vulnerability in the customers module. Successful exploitation could allow a low-privileged user to modify customer data. Access to the admin console is required for successful...

BIT-MAGENTO-2021-28584 Magento Commerce path traversal vulnerability in child theme store creation

Magento versions 2.4.2 and earlier, 2.4.1 and earlier and 2.3.6 and earlier are affected by a Path Traversal vulnerability when creating a store with child theme.Successful exploitation could lead to arbitrary file system write by an authenticated attacker. Access to the admin console is required...

CVE-2024-20939

Vulnerability in the Oracle CRM Technical Foundation product of Oracle E-Business Suite component: Admin Console. Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle CRM Technica...

Design/Logic Flaw

Vulnerability in the Oracle CRM Technical Foundation product of Oracle E-Business Suite component: Admin Console. Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle CRM Technica...

CVE-2024-20939

CVE-2024-20939 affects Oracle E-Business Suite, specifically the Oracle CRM Technical Foundation Admin Console, with versions 12.2.3–12.2.13 vulnerable. The issue is an input validation/logic flaw that allows a low-privilege, network-accessible attacker via HTTP to cause a partial denial of servi...

WhatsUp Gold 2022 (22.1.0 Build 39) - XSS

Exploit Title: WhatsUpGold 22.1.0 - Stored Cross-Site Scripting XSS Date: April 18, 2023 Exploit Author: Andreas Finstad 4ndr34z Vendor Homepage: https://www.whatsupgold.com Version: v.22.1.0 Build 39 Tested on: Windows 2022 Server CVE : CVE-2023-35759 Reference:...

WhatsUp Gold 2022 22.1.0 Build 39 Cross Site Scripting

Exploit Title: WhatsUpGold 22.1.0 - Stored Cross-Site Scripting XSS Date: April 18, 2023 Exploit Author: Andreas Finstad 4ndr34z Vendor Homepage: https://www.whatsupgold.com Version: v.22.1.0 Build 39 Tested on: Windows 2022 Server CVE : CVE-2023-35759 Reference:...

WhatsUp Gold 2022 (22.1.0 Build 39) - XSS Vulnerability

Exploit Title: WhatsUpGold 22.1.0 - Stored Cross-Site Scripting XSS Exploit Author: Andreas Finstad 4ndr34z Vendor Homepage: https://www.whatsupgold.com Version: v.22.1.0 Build 39 Tested on: Windows 2022 Server CVE : CVE-2023-35759 Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-35759 WhatsU...

CVE-2023-47148

IBM Storage Protect Plus Server 10.1.0 through 10.1.15.2 Admin Console could allow a remote attacker to obtain sensitive information due to improper validation of unsecured endpoints which could be used in further attacks against the system. IBM X-Force ID: 270599...