Lucene search
K
WebkulQloapps

14 matches found

CVE
CVE
added 2023/05/11 12:0 a.m.75 views

CVE-2023-30256

CVE-2023-30256 affects Webkul Webkil/QloApps v1.5.2. The issue is a Cross‑Site Scripting (XSS) vulnerability in the AuthController.php handling the two parameters, back and email_create , which can be exploited by remote attackers to obtain sensitive information and potentially execute script in ...

6.1CVSS5.8AI score0.08731EPSS
Web
CVE
CVE
added 2025/02/06 2:0 p.m.70 views

CVE-2025-1074

Webkul QloApps 1.6.1 is affected by a cross-site request forgery in the URL Handler logout function at /en/?mylogout. The vulnerability stems from the logout endpoint logic, enabling remote CSRF exploitation. Public exploit/disclosures exist and the vendor has been informed and is working on a fi...

5.3CVSS4.7AI score0.00321EPSS
Web
CVE
CVE
added 2025/02/18 12:0 a.m.68 views

CVE-2025-26058

CVE-2025-26058 affects Webkul QloApps v1.6.1, where authentication tokens are exposed in URLs during redirection. The vulnerability is that the application appends sensitive authentication tokens directly to the URL when accessing admin or protected areas. The connected sources confirm the affect...

4.2CVSS7.2AI score0.00205EPSS
CVE
CVE
added 2023/06/23 12:0 a.m.65 views

CVE-2023-36289

Webkul QloApps 1.6.0 is affected by an unauthenticated Cross-Site Scripting (XSS) vulnerability that allows an attacker to obtain a user’s session cookie and impersonate the user via POST email_create and back parameter. Impact: potential session hijacking and user impersonation. Remediation: app...

6.1CVSS5.9AI score0.01169EPSS
CVE
CVE
added 2023/06/23 12:0 a.m.64 views

CVE-2023-36287

Webkul QloApps 1.6.0 is affected by an unauthenticated Cross‑Site Scripting (XSS) vulnerability. The issue enables an attacker to exfiltrate a user’s session cookie and impersonate the user via a POST controller parameter. Evidence appears in the Nuclei template for CVE-2023-36287 and mirrors oth...

6.1CVSS5.9AI score0.01199EPSS
CVE
CVE
added 2024/07/25 12:0 a.m.64 views

CVE-2024-40318

CVE-2024-40318 is an arbitrary file upload vulnerability in Webkul Qloapps v1.6.0.0 that enables remote code execution. The root cause involves bypassing file upload restrictions via crafted uploads, with the Red Hat/NVD OSV entries and PT Security notes corroborating a code-execution outcome. Im...

7.2CVSS7.8AI score0.01183EPSS
CVE
CVE
added 2025/02/10 8:0 p.m.64 views

CVE-2025-1155

CVE-2025-1155 affects Webkul QloApps 1.6.1, specifically the Your Location Search component in the /stores path. Reported vulnerability is a cross-site scripting (XSS) issue generated by manipulating input in an unknown part of the stores file. It is exploitable remotely according to the sources....

6.1CVSS4.3AI score0.00528EPSS
CVE
CVE
added 2023/06/23 12:0 a.m.55 views

CVE-2023-36284

Webkul QloApps 1.6.0 contains an unauthenticated Time-Based SQL injection via GET parameters date_from, date_to, and id_product. The underlying flaw allows an attacker to bypass authentication/authorization and retrieve the database contents. The issue is documented across multiple feeds (NVD, NV...

7.5CVSS8.1AI score0.03157EPSS
CVE
CVE
added 2023/06/23 12:0 a.m.50 views

CVE-2023-36288

The CVE-2023-36288 issue affects Webkul QloApps v1.6.0 and is an unauthenticated Cross-Site Scripting (XSS) flaw in the configure parameter of a GET request. The underlying risk is that an attacker can steal a user’s session cookie and impersonate that user. There is no explicit evidence of explo...

5.4CVSS5.3AI score0.00444EPSS
CVE
CVE
added 2024/01/17 12:0 a.m.40 views

CVE-2023-36235

CVE-2023-36235 affects Webkul Qloapps prior to version 1.6.0 , exposing sensitive information via the id_order parameter. The available connected document details indicate an information disclosure risk rooted in handling of the id_order input, enabling an attacker to obtain sensitive data. The v...

6.5CVSS6.2AI score0.00656EPSS
CVE
CVE
added 2025/06/17 6:31 a.m.39 views

CVE-2025-6173

Webkul QloApps 1.6.1 is affected by a SQL injection in /admin/ajax_products_list.php via manipulation of the packItself parameter. The vulnerability is exploitable remotely; exploitation details have been disclosed publicly. The vendor notes admin-privilege prerequisites and a fix is planned for ...

7.2CVSS7.6AI score0.00468EPSS
Web
CVE
CVE
added 2025/09/21 1:2 a.m.21 views

CVE-2025-10759

Webkul QloApps up to 1.7.0 is affected by a CSRF Token Handler vulnerability. Manipulating the token argument can bypass authorization, potentially enabling remote abuse. The exploit is public. Vendor states a fix will be implemented in the next major release; no specific patched version is provi...

6.9CVSS5.5AI score0.0032EPSS
CVE
CVE
added 2026/01/08 12:0 a.m.16 views

CVE-2025-67325

CVE-2025-67325 is an unrestricted file upload vulnerability in QloApps, affecting version 1.7.0 and earlier within the hotel review feature. The issue allows remote unauthenticated attackers to achieve remote code execution (RCE). Public advisories corroborate the RCE potential; evidence of a PoC...

9.8CVSS7.8AI score0.00832EPSS
CVE
CVE
added 2026/01/12 12:0 a.m.14 views

CVE-2021-41074

CVE-2021-41074 – QloApps hotel eCommerce 1.5.1 CSRF in index.php : A crafted HTML document can cause change of the administrator’s email address. This is a Cross-Site Request Forgery issue in the index.php file of QloApps 1.5.1. Public sources in the connected documents confirm the vulnerability ...

5.4CVSS6.3AI score0.00122EPSS