Vvveb
Monthly
Vvveb CMS versions before 1.0.8.3 allow authenticated users to hijack other users' shopping carts during checkout. The checkout endpoint fails to verify cart ownership when processing a user-supplied cart_id parameter, enabling attackers to access and potentially complete purchases using another user's cart contents. This vulnerability has been patched in version 1.0.8.3.
Authenticated administrators in Vvveb CMS versions before 1.0.8.3 can access REST API tokens of other administrators through the admin/auth-token endpoint by manipulating the admin_id parameter. This authorization bypass allows lateral privilege escalation between admin accounts, potentially compromising all administrative API operations. The vulnerability requires low-privileged authenticated access and has been patched in version 1.0.8.3.
SQL injection in Vvveb CMS versions before 1.0.8.3 allows authenticated frontend users to execute arbitrary SQL queries through the order history page. The vulnerability exists in the /user/orders endpoint where order_by and direction parameters are directly concatenated into SQL queries without sanitization, enabling database compromise with low-privileged user credentials. The vendor has released version 1.0.8.3 to address this issue.
Unauthenticated reflected cross-site scripting (XSS) in Vvveb CMS versions prior to 1.0.8.3 enables attackers to execute arbitrary JavaScript in victim browsers via the public product return form. The customer_order_id parameter is reflected without sanitization in error messages when order lookups fail, allowing HTML injection. No public exploit identified at time of analysis. While CVSS 5.3 indicates moderate severity, the unauthenticated attack vector (PR:N) and low complexity (AC:L) make this readily exploitable against any site visitor, though user interaction (UI:P) is required to submit the malicious form.
Cross-site scripting (XSS) in Vvveb CMS versions prior to 1.0.8.3 allows authenticated users to inject malicious scripts that execute in victim browsers with user interaction. The CVSS 4.0 vector indicates network-based attack requiring low-privilege authentication and user interaction, with low confidentiality and integrity impact to the subsequent system. GitHub security advisory confirms the vulnerability, with patch version 1.0.8.3 available. No public exploit code identified at time of analysis, and EPSS data not available for this recently assigned CVE.
Negative quantity manipulation in Vvveb CMS versions before 1.0.8.2 allows unauthenticated remote attackers to create orders with negative totals, potentially defrauding merchants. The cart-add endpoint accepts negative quantity values that propagate through the entire order flow, creating legitimate-looking orders where the merchant appears to owe money to the customer. Fixed in version 1.0.8.2.
Stored Cross-Site Scripting in Vvveb CMS comment submission allows unauthenticated attackers to inject malicious JavaScript through the author field on public post pages. The payload persists in the database and executes in two distinct contexts when administrators or other users view the comments, enabling session hijacking, credential theft, or administrative action manipulation. No public exploit code has been identified at time of analysis, though exploitation requires only user interaction (victim viewing the malicious comment). EPSS data not available; CVSS 6.1 reflects moderate severity with cross-site scope change.
Vvveb before 1.0.8.2 exposes the application's secret cron key through an unauthenticated cron controller endpoint, allowing remote attackers to retrieve this sensitive credential and trigger scheduled tasks outside their intended execution windows. The vulnerability affects all deployments with the vulnerable cron controller accessible over the network, with CVSS 5.3 reflecting confidentiality impact from information disclosure without authentication requirements.
Unauthenticated reflected cross-site scripting (XSS) in Vvveb before 1.0.8.2 allows remote attackers to execute arbitrary JavaScript in the context of the Vvveb origin by manipulating the r query parameter and _component_ajax POST parameter in the visual editor preview renderer. The vulnerability exploits the absence of session, role, or token verification in the isEditor() gating function combined with unsanitized injection of POST body content, requiring only user interaction to trigger but affecting all versions prior to 1.0.8.2. Active exploitation status is not confirmed, but a vendor-released patch is available.
Vvveb before version 1.0.8.2 allows unauthenticated remote attackers to disclose sensitive server information including absolute file paths, internal class namespaces, line numbers, and source code excerpts by accessing the admin password-reset endpoint and triggering a fatal error caused by missing namespace imports. The debug exception handler renders full stack traces to unauthenticated requests, enabling reconnaissance attacks without authentication or user interaction. No active exploitation confirmed, but the vulnerability is easily discoverable and exploitable over the network.
Remote code execution in Vvveb CMS versions before 1.0.8.2 enables low-privilege authenticated users (editor, author, contributor, or site_admin roles) to escalate privileges and execute arbitrary PHP code. Attackers exploit the admin code editor's insufficient file extension validation by first uploading a malicious .htaccess file that maps arbitrary extensions to the PHP handler, then uploading PHP code disguised with that extension. Once uploaded, the PHP code executes with web server privileges when accessed via HTTP, effectively bypassing authentication and achieving full system compromise. The vulnerability requires only low-privilege access (PR:L) with no attack complexity or user interaction (AC:L/UI:N), and vendor-released patch version 1.0.8.2 is confirmed available via GitHub. No public exploit code or active exploitation (KEV) confirmed at time of analysis.
Server-Side Request Forgery in Vvveb CMS versions prior to 1.0.8.1 allows authenticated backend users to read arbitrary local files via file:// URLs or probe internal network services via http:// URLs through the oEmbedProxy action's unvalidated url parameter. The vulnerability (CWE-918) enables information disclosure from the web server's filesystem and internal network reconnaissance. Patch available in version 1.0.8.1. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.
Privilege escalation in Vvveb CMS versions prior to 1.0.8.1 allows authenticated low-privileged users to inject role_id=1 into profile save requests, escalating to Super Administrator and enabling plugin upload for remote code execution. Vendor patch available in version 1.0.8.1. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. EPSS data not provided; KEV status unknown. Public disclosure via VulnCheck advisory with commit-level fix details increases likelihood of exploitation attempts.
Stored cross-site scripting in Vvveb prior to 1.0.8.1 allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript in administrator browsers by bypassing MIME type validation with a GIF89a header prepend, renaming files to .html extensions, and injecting malicious payloads that can create backdoor accounts or upload remote code execution plugins. Publicly available exploit code exists and vendor-released patch 1.0.8.1 is available. Real-world risk is moderate due to authentication requirement and required user interaction (administrator must visit malicious page), but privilege escalation path to RCE via plugin upload makes this a critical persistence vector.
Path traversal in givanz Vvveb up to 1.0.7.3 allows authenticated remote attackers to manipulate the File argument in the Code Editor's sanitizeFileName function, enabling unauthorized file system access with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, though EPSS score of 0.05% suggests limited real-world exploitation despite the availability of proof-of-concept.
SQL injection in Vvveb up to version 1.0.7.3 allows authenticated high-privileged remote attackers to execute arbitrary SQL queries through the Raw SQL Handler import function in admin/controller/tools/import.php. The vulnerability requires administrative credentials and has been publicly disclosed with exploit code available, though EPSS modeling indicates low real-world exploitation probability at 0.04%.
A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security vulnerability has been detected in givanz Vvveb 1.0.7.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Vvveb CMS versions before 1.0.8.3 allow authenticated users to hijack other users' shopping carts during checkout. The checkout endpoint fails to verify cart ownership when processing a user-supplied cart_id parameter, enabling attackers to access and potentially complete purchases using another user's cart contents. This vulnerability has been patched in version 1.0.8.3.
Authenticated administrators in Vvveb CMS versions before 1.0.8.3 can access REST API tokens of other administrators through the admin/auth-token endpoint by manipulating the admin_id parameter. This authorization bypass allows lateral privilege escalation between admin accounts, potentially compromising all administrative API operations. The vulnerability requires low-privileged authenticated access and has been patched in version 1.0.8.3.
SQL injection in Vvveb CMS versions before 1.0.8.3 allows authenticated frontend users to execute arbitrary SQL queries through the order history page. The vulnerability exists in the /user/orders endpoint where order_by and direction parameters are directly concatenated into SQL queries without sanitization, enabling database compromise with low-privileged user credentials. The vendor has released version 1.0.8.3 to address this issue.
Unauthenticated reflected cross-site scripting (XSS) in Vvveb CMS versions prior to 1.0.8.3 enables attackers to execute arbitrary JavaScript in victim browsers via the public product return form. The customer_order_id parameter is reflected without sanitization in error messages when order lookups fail, allowing HTML injection. No public exploit identified at time of analysis. While CVSS 5.3 indicates moderate severity, the unauthenticated attack vector (PR:N) and low complexity (AC:L) make this readily exploitable against any site visitor, though user interaction (UI:P) is required to submit the malicious form.
Cross-site scripting (XSS) in Vvveb CMS versions prior to 1.0.8.3 allows authenticated users to inject malicious scripts that execute in victim browsers with user interaction. The CVSS 4.0 vector indicates network-based attack requiring low-privilege authentication and user interaction, with low confidentiality and integrity impact to the subsequent system. GitHub security advisory confirms the vulnerability, with patch version 1.0.8.3 available. No public exploit code identified at time of analysis, and EPSS data not available for this recently assigned CVE.
Negative quantity manipulation in Vvveb CMS versions before 1.0.8.2 allows unauthenticated remote attackers to create orders with negative totals, potentially defrauding merchants. The cart-add endpoint accepts negative quantity values that propagate through the entire order flow, creating legitimate-looking orders where the merchant appears to owe money to the customer. Fixed in version 1.0.8.2.
Stored Cross-Site Scripting in Vvveb CMS comment submission allows unauthenticated attackers to inject malicious JavaScript through the author field on public post pages. The payload persists in the database and executes in two distinct contexts when administrators or other users view the comments, enabling session hijacking, credential theft, or administrative action manipulation. No public exploit code has been identified at time of analysis, though exploitation requires only user interaction (victim viewing the malicious comment). EPSS data not available; CVSS 6.1 reflects moderate severity with cross-site scope change.
Vvveb before 1.0.8.2 exposes the application's secret cron key through an unauthenticated cron controller endpoint, allowing remote attackers to retrieve this sensitive credential and trigger scheduled tasks outside their intended execution windows. The vulnerability affects all deployments with the vulnerable cron controller accessible over the network, with CVSS 5.3 reflecting confidentiality impact from information disclosure without authentication requirements.
Unauthenticated reflected cross-site scripting (XSS) in Vvveb before 1.0.8.2 allows remote attackers to execute arbitrary JavaScript in the context of the Vvveb origin by manipulating the r query parameter and _component_ajax POST parameter in the visual editor preview renderer. The vulnerability exploits the absence of session, role, or token verification in the isEditor() gating function combined with unsanitized injection of POST body content, requiring only user interaction to trigger but affecting all versions prior to 1.0.8.2. Active exploitation status is not confirmed, but a vendor-released patch is available.
Vvveb before version 1.0.8.2 allows unauthenticated remote attackers to disclose sensitive server information including absolute file paths, internal class namespaces, line numbers, and source code excerpts by accessing the admin password-reset endpoint and triggering a fatal error caused by missing namespace imports. The debug exception handler renders full stack traces to unauthenticated requests, enabling reconnaissance attacks without authentication or user interaction. No active exploitation confirmed, but the vulnerability is easily discoverable and exploitable over the network.
Remote code execution in Vvveb CMS versions before 1.0.8.2 enables low-privilege authenticated users (editor, author, contributor, or site_admin roles) to escalate privileges and execute arbitrary PHP code. Attackers exploit the admin code editor's insufficient file extension validation by first uploading a malicious .htaccess file that maps arbitrary extensions to the PHP handler, then uploading PHP code disguised with that extension. Once uploaded, the PHP code executes with web server privileges when accessed via HTTP, effectively bypassing authentication and achieving full system compromise. The vulnerability requires only low-privilege access (PR:L) with no attack complexity or user interaction (AC:L/UI:N), and vendor-released patch version 1.0.8.2 is confirmed available via GitHub. No public exploit code or active exploitation (KEV) confirmed at time of analysis.
Server-Side Request Forgery in Vvveb CMS versions prior to 1.0.8.1 allows authenticated backend users to read arbitrary local files via file:// URLs or probe internal network services via http:// URLs through the oEmbedProxy action's unvalidated url parameter. The vulnerability (CWE-918) enables information disclosure from the web server's filesystem and internal network reconnaissance. Patch available in version 1.0.8.1. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.
Privilege escalation in Vvveb CMS versions prior to 1.0.8.1 allows authenticated low-privileged users to inject role_id=1 into profile save requests, escalating to Super Administrator and enabling plugin upload for remote code execution. Vendor patch available in version 1.0.8.1. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. EPSS data not provided; KEV status unknown. Public disclosure via VulnCheck advisory with commit-level fix details increases likelihood of exploitation attempts.
Stored cross-site scripting in Vvveb prior to 1.0.8.1 allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript in administrator browsers by bypassing MIME type validation with a GIF89a header prepend, renaming files to .html extensions, and injecting malicious payloads that can create backdoor accounts or upload remote code execution plugins. Publicly available exploit code exists and vendor-released patch 1.0.8.1 is available. Real-world risk is moderate due to authentication requirement and required user interaction (administrator must visit malicious page), but privilege escalation path to RCE via plugin upload makes this a critical persistence vector.
Path traversal in givanz Vvveb up to 1.0.7.3 allows authenticated remote attackers to manipulate the File argument in the Code Editor's sanitizeFileName function, enabling unauthorized file system access with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, though EPSS score of 0.05% suggests limited real-world exploitation despite the availability of proof-of-concept.
SQL injection in Vvveb up to version 1.0.7.3 allows authenticated high-privileged remote attackers to execute arbitrary SQL queries through the Raw SQL Handler import function in admin/controller/tools/import.php. The vulnerability requires administrative credentials and has been publicly disclosed with exploit code available, though EPSS modeling indicates low real-world exploitation probability at 0.04%.
A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security vulnerability has been detected in givanz Vvveb 1.0.7.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.