Jpacookieshop
Monthly
Cross-site request forgery in jerryshensjf JPACookieShop (蛋糕商城JPA版) allows unauthenticated remote attackers to perform unauthorized actions via crafted requests to AdminTypeCustController.java, requiring user interaction. The vulnerability has a low CVSS score of 2.1 but public exploit code is available; however, the extremely low EPSS percentile (23%) suggests minimal real-world exploitation despite public disclosure.
Stored cross-site scripting (XSS) in JPACookieShop GoodsController allows authenticated users to inject malicious scripts that execute in other users' browsers, with public exploit code available and CVSS 2.0 reflecting low impact due to required user interaction and authenticated access prerequisites.
Reflected cross-site scripting (XSS) in JPACookieShop's GoodsCustController.goodsSearch function allows remote unauthenticated attackers to inject malicious scripts via the keyword parameter, affecting user sessions with minimal complexity. The vulnerability carries a CVSS 2.1 score but requires user interaction (clicking a malicious link), and public exploit code is available. With an EPSS of 0.06% and no confirmed active exploitation in the wild, the real-world risk is low despite the disclosed POC.
Authorization bypass in JPACookieShop (蛋糕商城JPA版) version 1.0 allows authenticated remote attackers to modify goods via the updateGoods function in GoodsController.java without proper privilege validation. The vulnerability has public exploit code available but carries low real-world risk due to a CVSS score of 2.1 (EPSS 0.06%), indicating exploitation is unlikely despite authenticated access requirements and public disclosure.
Cross-site request forgery in jerryshensjf JPACookieShop (蛋糕商城JPA版) allows unauthenticated remote attackers to perform unauthorized actions via crafted requests to AdminTypeCustController.java, requiring user interaction. The vulnerability has a low CVSS score of 2.1 but public exploit code is available; however, the extremely low EPSS percentile (23%) suggests minimal real-world exploitation despite public disclosure.
Stored cross-site scripting (XSS) in JPACookieShop GoodsController allows authenticated users to inject malicious scripts that execute in other users' browsers, with public exploit code available and CVSS 2.0 reflecting low impact due to required user interaction and authenticated access prerequisites.
Reflected cross-site scripting (XSS) in JPACookieShop's GoodsCustController.goodsSearch function allows remote unauthenticated attackers to inject malicious scripts via the keyword parameter, affecting user sessions with minimal complexity. The vulnerability carries a CVSS 2.1 score but requires user interaction (clicking a malicious link), and public exploit code is available. With an EPSS of 0.06% and no confirmed active exploitation in the wild, the real-world risk is low despite the disclosed POC.
Authorization bypass in JPACookieShop (蛋糕商城JPA版) version 1.0 allows authenticated remote attackers to modify goods via the updateGoods function in GoodsController.java without proper privilege validation. The vulnerability has public exploit code available but carries low real-world risk due to a CVSS score of 2.1 (EPSS 0.06%), indicating exploitation is unlikely despite authenticated access requirements and public disclosure.