14 matches found
CVE-2023-30256
CVE-2023-30256 affects Webkul Webkil/QloApps v1.5.2. The issue is a Cross‑Site Scripting (XSS) vulnerability in the AuthController.php handling the two parameters, back and email_create , which can be exploited by remote attackers to obtain sensitive information and potentially execute script in ...
CVE-2025-1074
Webkul QloApps 1.6.1 is affected by a cross-site request forgery in the URL Handler logout function at /en/?mylogout. The vulnerability stems from the logout endpoint logic, enabling remote CSRF exploitation. Public exploit/disclosures exist and the vendor has been informed and is working on a fi...
CVE-2025-26058
CVE-2025-26058 affects Webkul QloApps v1.6.1, where authentication tokens are exposed in URLs during redirection. The vulnerability is that the application appends sensitive authentication tokens directly to the URL when accessing admin or protected areas. The connected sources confirm the affect...
CVE-2023-36289
Webkul QloApps 1.6.0 is affected by an unauthenticated Cross-Site Scripting (XSS) vulnerability that allows an attacker to obtain a user’s session cookie and impersonate the user via POST email_create and back parameter. Impact: potential session hijacking and user impersonation. Remediation: app...
CVE-2023-36287
Webkul QloApps 1.6.0 is affected by an unauthenticated Cross‑Site Scripting (XSS) vulnerability. The issue enables an attacker to exfiltrate a user’s session cookie and impersonate the user via a POST controller parameter. Evidence appears in the Nuclei template for CVE-2023-36287 and mirrors oth...
CVE-2024-40318
CVE-2024-40318 is an arbitrary file upload vulnerability in Webkul Qloapps v1.6.0.0 that enables remote code execution. The root cause involves bypassing file upload restrictions via crafted uploads, with the Red Hat/NVD OSV entries and PT Security notes corroborating a code-execution outcome. Im...
CVE-2025-1155
CVE-2025-1155 affects Webkul QloApps 1.6.1, specifically the Your Location Search component in the /stores path. Reported vulnerability is a cross-site scripting (XSS) issue generated by manipulating input in an unknown part of the stores file. It is exploitable remotely according to the sources....
CVE-2023-36284
Webkul QloApps 1.6.0 contains an unauthenticated Time-Based SQL injection via GET parameters date_from, date_to, and id_product. The underlying flaw allows an attacker to bypass authentication/authorization and retrieve the database contents. The issue is documented across multiple feeds (NVD, NV...
CVE-2023-36288
The CVE-2023-36288 issue affects Webkul QloApps v1.6.0 and is an unauthenticated Cross-Site Scripting (XSS) flaw in the configure parameter of a GET request. The underlying risk is that an attacker can steal a user’s session cookie and impersonate that user. There is no explicit evidence of explo...
CVE-2023-36235
CVE-2023-36235 affects Webkul Qloapps prior to version 1.6.0 , exposing sensitive information via the id_order parameter. The available connected document details indicate an information disclosure risk rooted in handling of the id_order input, enabling an attacker to obtain sensitive data. The v...
CVE-2025-6173
Webkul QloApps 1.6.1 is affected by a SQL injection in /admin/ajax_products_list.php via manipulation of the packItself parameter. The vulnerability is exploitable remotely; exploitation details have been disclosed publicly. The vendor notes admin-privilege prerequisites and a fix is planned for ...
CVE-2025-10759
Webkul QloApps up to 1.7.0 is affected by a CSRF Token Handler vulnerability. Manipulating the token argument can bypass authorization, potentially enabling remote abuse. The exploit is public. Vendor states a fix will be implemented in the next major release; no specific patched version is provi...
CVE-2025-67325
CVE-2025-67325 is an unrestricted file upload vulnerability in QloApps, affecting version 1.7.0 and earlier within the hotel review feature. The issue allows remote unauthenticated attackers to achieve remote code execution (RCE). Public advisories corroborate the RCE potential; evidence of a PoC...
CVE-2021-41074
CVE-2021-41074 – QloApps hotel eCommerce 1.5.1 CSRF in index.php : A crafted HTML document can cause change of the administrator’s email address. This is a Cross-Site Request Forgery issue in the index.php file of QloApps 1.5.1. Public sources in the connected documents confirm the vulnerability ...