Vendure-Ecommerce Vendure vulnerabilities
2 known vulnerabilities affecting vendure-ecommerce/vendure.
Total CVEs
2
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL1MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2024-48914P1CRITICALCVSS 9.1ExploitedPoCfixed in 2.3.3v>= 3.0.0, < 3.0.52024-10-15
CVE-2024-48914 [CRITICAL] CWE-20 CVE-2024-48914: Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerabi
Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data such as configuration files, environment variables, an
nvd
CVE-2022-23065P4MEDIUMCVSS 5.4≥ 0.1.0-alpha.2, < unspecified≥ unspecified, ≤ 1.5.12022-05-02
CVE-2022-23065 [MEDIUM] CWE-79 CVE-2022-23065: In Vendure versions 0.1.0-alpha.2 to 1.5.1 are affected by Stored XSS vulnerability, where an attack
In Vendure versions 0.1.0-alpha.2 to 1.5.1 are affected by Stored XSS vulnerability, where an attacker having catalog permission can upload a SVG file that contains malicious JavaScript into the “Assets” tab. The uploaded file will affect administrators as well as regular users.
nvd