Bieticaret
Monthly
SQL injection in Inrove BiEticaret e-commerce platform before v3.3.57 allows remote unauthenticated attackers to inject arbitrary SQL commands (CWE-89) through improperly neutralized input, per the CVSS:3.1/AV:N/AC:L/PR:N/UI:N vector. Successful exploitation yields full read/write access to the backing database (C:H/I:H/A:H, CVSS 9.8). This flaw was reported by TR-CERT (Turkey's national CERT); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Reflected cross-site scripting in BiEticaret, a Turkish e-commerce platform by Inrove Software and Internet Services, enables remote unauthenticated attackers to inject and execute malicious JavaScript in victims' browsers by tricking them into clicking a crafted URL. All versions prior to v3.3.57 are affected across the full product line. No active exploitation has been confirmed by CISA KEV, and no public proof-of-concept has been identified at time of analysis; however, the low attack complexity and absence of authentication requirements make this straightforward to exploit once a target is socially engineered.
SQL injection in Inrove BiEticaret e-commerce platform before v3.3.57 allows remote unauthenticated attackers to inject arbitrary SQL commands (CWE-89) through improperly neutralized input, per the CVSS:3.1/AV:N/AC:L/PR:N/UI:N vector. Successful exploitation yields full read/write access to the backing database (C:H/I:H/A:H, CVSS 9.8). This flaw was reported by TR-CERT (Turkey's national CERT); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Reflected cross-site scripting in BiEticaret, a Turkish e-commerce platform by Inrove Software and Internet Services, enables remote unauthenticated attackers to inject and execute malicious JavaScript in victims' browsers by tricking them into clicking a crafted URL. All versions prior to v3.3.57 are affected across the full product line. No active exploitation has been confirmed by CISA KEV, and no public proof-of-concept has been identified at time of analysis; however, the low attack complexity and absence of authentication requirements make this straightforward to exploit once a target is socially engineered.