Xmall

4 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2023-36331 HIGH POC This Week

Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users' order details via manipulation of the query parameter userId. [CVSS 8.2 HIGH]

Authentication Bypass Xmall
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-65540 MEDIUM POC This Month

Multiple Cross-Site Scripting (XSS) vulnerabilities exist in xmall v1.1 due to improper handling of user-supplied data. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Xmall
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-45612 CRITICAL POC Act Now

Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Xmall
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-28399 CRITICAL POC Act Now

An issue in Erick xmall v.1.1 and before allows a remote attacker to escalate privileges via the updateAddress method of the Address Controller class. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Xmall
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2023-36331
EPSS 0% CVSS 8.2
HIGH POC This Week

Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users' order details via manipulation of the query parameter userId. [CVSS 8.2 HIGH]

Authentication Bypass Xmall
NVD GitHub
CVE-2025-65540
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Multiple Cross-Site Scripting (XSS) vulnerabilities exist in xmall v1.1 due to improper handling of user-supplied data. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Xmall
NVD GitHub
CVE-2025-45612
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Xmall
NVD GitHub
CVE-2025-28399
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue in Erick xmall v.1.1 and before allows a remote attacker to escalate privileges via the updateAddress method of the Address Controller class. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Xmall
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy