Skip to main content

Qloapps CVE-2023-36288

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-06-23 cve@mitre.org
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jun 23, 2023 - 15:15 nvd
MEDIUM 5.4

DescriptionNVD

An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via GET configure parameter.

AnalysisAI

An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via GET configure. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via GET configure parameter. Affected products include: Webkul Qloapps.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2025-67325 CRITICAL POC
9.8 Jan 08

QloApps hotel management system (through 1.7.0) allows unauthenticated web shell upload through the hotel review feature

CVE-2023-36284 HIGH POC
7.5 Jun 23

An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameter date_from, date_to, and id_p

CVE-2024-40318 HIGH POC
7.2 Jul 25

An arbitrary file upload vulnerability in Webkul Qloapps v1.6.0.0 allows attackers to execute arbitrary code via uploadi

CVE-2023-36287 MEDIUM POC
6.1 Jun 23

An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a

CVE-2023-36289 MEDIUM POC
6.1 Jun 23

An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a

CVE-2023-30256 MEDIUM POC
6.1 May 11

Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive informat

CVE-2025-10759 MEDIUM POC
5.5 Sep 21

A vulnerability was detected in Webkul QloApps up to 1.7.0. Rated medium severity (CVSS 5.5), this vulnerability is remo

CVE-2025-1155 MEDIUM POC
5.3 Feb 10

A vulnerability, which was classified as problematic, was found in Webkul QloApps 1.6.1. Rated medium severity (CVSS 5.3

CVE-2026-25558 MEDIUM POC
4.8 Jun 08

Stored cross-site scripting in QloApps through 1.7.0 enables authenticated administrators to inject persistent JavaScrip

CVE-2025-26058 MEDIUM POC
4.2 Feb 18

Webkul QloApps v1.6.1 exposes authentication tokens in URLs during redirection. Rated medium severity (CVSS 4.2), this v

CVE-2026-25861 HIGH
8.2 Jun 02

Weak password hashing in QloApps through 1.7.0 enables credential compromise because Tools::encrypt() in classes/Tools.p

CVE-2021-41074 MEDIUM
5.4 Jan 12

A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin's email address via a

Share

CVE-2023-36288 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy