Coreshop
Monthly
Improper input sanitization in CoreShop's CustomerTransformerController prior to version 4.1.9 allows authenticated administrators to inject SQL commands through the admin panel, enabling database error-based information disclosure. An attacker with high-privilege access can exploit this to extract sensitive data from the underlying database without modifying or deleting records. A patch is available in version 4.1.9 and later.
Blind SQL injection in CoreShop prior to version 4.1.8 allows authenticated administrators to extract sensitive database information through boolean-based or time-based attack techniques. The vulnerability is limited to information disclosure due to the application's read-only database permissions, preventing data modification or denial of service. Public exploit code exists for this vulnerability; administrators should upgrade to version 4.1.8 or later.
Improper input sanitization in CoreShop's CustomerTransformerController prior to version 4.1.9 allows authenticated administrators to inject SQL commands through the admin panel, enabling database error-based information disclosure. An attacker with high-privilege access can exploit this to extract sensitive data from the underlying database without modifying or deleting records. A patch is available in version 4.1.9 and later.
Blind SQL injection in CoreShop prior to version 4.1.8 allows authenticated administrators to extract sensitive database information through boolean-based or time-based attack techniques. The vulnerability is limited to information disclosure due to the application's read-only database permissions, preventing data modification or denial of service. Public exploit code exists for this vulnerability; administrators should upgrade to version 4.1.8 or later.