Nopcommerce
CVE-2019-11519
MEDIUM
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen.
AnalysisAI
Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as XML External Entity (XXE) (CWE-611), which allows attackers to read arbitrary files or perform SSRF through XML processing. Libraries/Nop.Services/Localization/LocalizationService.cs in nopCommerce through 4.10 allows XXE via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen. Affected products include: Nopcommerce. Version information: through 4.10.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Disable external entity processing in XML parsers, use JSON instead of XML where possible.
More in Nopcommerce
View allRoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to ../ path traversal via d or f to Admin/RoxyFileman/Pro
RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF because GET requests can be used for renames and
nopCommerce v4.2.0 allows privilege escalation via file upload in Presentation/Nop.Web/Admin/Areas/Controllers/PluginCon
nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination
In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce
nopCommerce 4.40.3 is vulnerable to XSS in the Product Name at /Admin/Product/Edit/[id]. Each time a user views the prod
Nopcommerce 4.70.1 is vulnerable to Cross Site Scripting (XSS) via the combined "AddProductReview.Title" and "AddProduct
Multiple open redirect vulnerabilities in NopCommerce 4.10 through 4.50.1 allow remote attackers to conduct phishing att
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is
In nopCommerce 4.30, a Reflected XSS issue in the Discount Coupon component allows remote attackers to inject arbitrary
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS) via the "Text" parameter (forums) when creating a new pos
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is
Share
External POC / Exploit Code
Leaving vuln.today