13 matches found
CVE-2024-8568
Mini-Tmall is affected by a SQL injection in the function RewardMapper.select inside tmall/admin/order/1/1, triggered by manipulating the orderBy argument. Affected versions are up to 20240901. Exploitation is remote and has been disclosed publicly; vendor contact occurred with no evident respons...
CVE-2025-5135
CVE-2025-5135 affects Tmall Demo up to 20250505. The vulnerability is an XSS in the Product Details Page, triggered by manipulating the Product Name/Product Title in the file path /tmall/admin/. The issue concerns some unknown functionality of that admin path and is exploitable remotely; the expl...
CVE-2025-1843
CVE-2025-1843 affects Mini-Tmall up to 20250211. The issue lies in the file com/xq/tmall/dao/ProductMapper.java, in the select function where manipulating the argument orderBy enables an SQL injection. The vulnerability can be triggered remotely, and the exploit has been disclosed publicly. Multi...
CVE-2025-5136
CVE-2025-5136 affects Tmall Demo up to 20250505 in the Payment Identifier Handler, specifically the file path /tmall/order/pay/. The root issue is insufficiently random values in the payment identifier, enabling remote attack; attack vector is NETWORK with HIGH complexity and NONE authentication....
CVE-2024-40554
CVE-2024-40554 describes an access control issue in the Mini-Tmall/Tmall_demo v2024.07.03 where attackers can obtain sensitive information. The explicit affected component is the Tmall_demo application (version 2024.07.03); the underlying cause is identified as an access control flaw. The NVD ent...
CVE-2025-5131
CVE-2025-5131 affects Tmall Demo (up to 20250505). The issue is in the uploadCategoryImage function (tmall/admin/uploadCategoryImage) where improper handling of the File argument enables unrestricted file upload. This vulnerability can be exploited remotely; the exploit has been disclosed publicl...
CVE-2025-5132
CVE-2025-5132 affects Tmall Demo up to 20250505, exposing a cross-site request forgery in the file tmall/admin/account/logout. The CSRF arises from misuse of this logout endpoint and can be triggered remotely; exploitation has been disclosed publicly. Affected/general details are not version-scop...
CVE-2024-40555
CVE-2024-40555 affects Tmall_demo v2024.07.03 and is described in connected sources as an arbitrary file upload vulnerability. The available documents confirm the issue exists in that version but do not provide technical specifics about vulnerable components, exact root cause, vulnerable file han...
CVE-2024-40560
CVE-2024-40560 affects Mini-Tmall (Spring Boot-based mini-Tmall mall). Vulnerability: SQL injection due to lack of validation of externally entered SQL statements in versions prior to 2024.07.03. Impact: potential exposure of sensitive database data. Mitigation: upgrade to Mini-Tmall v2024.07.03 ...
CVE-2025-5130
CVE-2025-5130 affects Tmall Demo up to 20250505, specifically the uploadProductImage function in tmall/admin/uploadProductImage. The root cause is manipulation of the File argument enabling unrestricted image uploads, with remote exploitation possible and public disclosure of the exploit. Version...
CVE-2025-5133
CVE-2025-5133 concerns Tmall Demo up to 20250505, affecting the Search Box component. The vulnerability is a cross-site scripting (XSS) issue caused by a misbehavior of an unknown function in the Search Box, enabling remote exploitation. The exploit has been publicly disclosed; no affected versio...
CVE-2025-5134
CVE-2025-5134 affects Tmall Demo up to 20250505, specifically the Buy Item Page’s Detailed Address parameter, enabling cross-site scripting. Exploitable remotely; exploit disclosed publicly. No version details or patch information provided in the sources; some reports suggest restricting the Deta...
CVE-2024-40553
CVE-2024-40553 affects Tmall_demo v2024.07.03, where an arbitrary file upload is possible through the uploadUserHeadImage component. The incident is documented across Red Hat/NVD/CVE listings and third-party feeds. According to the initial metrics, the CVSS 3.1 vector indicates Network access, lo...