Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the comment's add/edit endpoints. An attacker can perform unauthorized actions on behalf of authenticated users by tricking them into submitting malicious requests. Remediation Upgrade...

CVE-2025-56161

Summary of CVE-2025-56161 (YOSHOP 2.0): Unauthenticated information disclosure via the Goods module’s comment-list endpoints. The Comment model eagerly loads the related User model without field filtering, and since User.php defines no $hidden or $visible attributes, sensitive fields (bcrypt pass...