Search criteria
10 vulnerabilities found for SmartStoreNET by smartstore
CVE-2020-36365 (GCVE-0-2020-36365)
Vulnerability from nvd – Published: 2021-05-19 18:57 – Updated: 2024-08-04 17:23
VLAI
Summary
Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/smartstore/SmartStoreNET/issues/2113 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:10.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/smartstore/SmartStoreNET/issues/2113"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-19T18:57:46.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/smartstore/SmartStoreNET/issues/2113"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36365",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/smartstore/SmartStoreNET/issues/2113",
"refsource": "MISC",
"url": "https://github.com/smartstore/SmartStoreNET/issues/2113"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36365",
"datePublished": "2021-05-19T18:57:46.000Z",
"dateReserved": "2021-05-19T00:00:00.000Z",
"dateUpdated": "2024-08-04T17:23:10.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36364 (GCVE-0-2020-36364)
Vulnerability from nvd – Published: 2021-05-19 18:57 – Updated: 2024-08-04 17:23
VLAI
Summary
An issue was discovered in Smartstore (aka SmartStoreNET) before 4.1.0. Administration/Controllers/ImportController.cs allows path traversal (for copy and delete actions) in the ImportController.Create method via a TempFileName field.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/smartstore/SmartStoreNET/commi… | x_refsource_MISC |
| https://github.com/smartstore/SmartStoreNET/issues/2112 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:10.430Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/smartstore/SmartStoreNET/commit/5ab1e37dc8d6415d04354e1a116f3d82e9555f5c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/smartstore/SmartStoreNET/issues/2112"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Smartstore (aka SmartStoreNET) before 4.1.0. Administration/Controllers/ImportController.cs allows path traversal (for copy and delete actions) in the ImportController.Create method via a TempFileName field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-19T18:57:20.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/smartstore/SmartStoreNET/commit/5ab1e37dc8d6415d04354e1a116f3d82e9555f5c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/smartstore/SmartStoreNET/issues/2112"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36364",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Smartstore (aka SmartStoreNET) before 4.1.0. Administration/Controllers/ImportController.cs allows path traversal (for copy and delete actions) in the ImportController.Create method via a TempFileName field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/smartstore/SmartStoreNET/commit/5ab1e37dc8d6415d04354e1a116f3d82e9555f5c",
"refsource": "MISC",
"url": "https://github.com/smartstore/SmartStoreNET/commit/5ab1e37dc8d6415d04354e1a116f3d82e9555f5c"
},
{
"name": "https://github.com/smartstore/SmartStoreNET/issues/2112",
"refsource": "MISC",
"url": "https://github.com/smartstore/SmartStoreNET/issues/2112"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36364",
"datePublished": "2021-05-19T18:57:20.000Z",
"dateReserved": "2021-05-19T00:00:00.000Z",
"dateUpdated": "2024-08-04T17:23:10.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27997 (GCVE-0-2020-27997)
Vulnerability from nvd – Published: 2021-02-19 23:00 – Updated: 2024-08-04 16:25
VLAI
Summary
An issue was discovered in SmartStoreNET before 4.1.0. Lack of Cross Site Request Forgery (CSRF) protection may lead to elevation of privileges (e.g., /admin/customer/create to create an admin account).
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/smartstore/SmartStoreNET/compa… | x_refsource_MISC |
| https://securitylab.github.com/advisories/GHSL-20… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:25:44.094Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/smartstore/SmartStoreNET/compare/4.0.1...4.1.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2020-138-139-SmartstoreAG-SmartStoreNET"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SmartStoreNET before 4.1.0. Lack of Cross Site Request Forgery (CSRF) protection may lead to elevation of privileges (e.g., /admin/customer/create to create an admin account)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T23:00:25.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/smartstore/SmartStoreNET/compare/4.0.1...4.1.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2020-138-139-SmartstoreAG-SmartStoreNET"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27997",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in SmartStoreNET before 4.1.0. Lack of Cross Site Request Forgery (CSRF) protection may lead to elevation of privileges (e.g., /admin/customer/create to create an admin account)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/smartstore/SmartStoreNET/compare/4.0.1...4.1.0",
"refsource": "MISC",
"url": "https://github.com/smartstore/SmartStoreNET/compare/4.0.1...4.1.0"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2020-138-139-SmartstoreAG-SmartStoreNET",
"refsource": "MISC",
"url": "https://securitylab.github.com/advisories/GHSL-2020-138-139-SmartstoreAG-SmartStoreNET"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27997",
"datePublished": "2021-02-19T23:00:25.000Z",
"dateReserved": "2020-10-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T16:25:44.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27996 (GCVE-0-2020-27996)
Vulnerability from nvd – Published: 2020-10-29 17:07 – Updated: 2024-08-04 16:25
VLAI
Summary
An issue was discovered in SmartStoreNET before 4.0.1. It does not properly consider the need for a CustomModelPartAttribute decoration in certain ModelBase.CustomProperties situations.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/smartstore/SmartStoreNET/commi… | x_refsource_MISC |
| https://github.com/smartstore/SmartStoreNET/compa… | x_refsource_MISC |
| https://securitylab.github.com/advisories/GHSL-20… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:25:43.967Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/smartstore/SmartStoreNET/commit/8702c6140f4fc91956ef35dba12d24492fb3f768"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/smartstore/SmartStoreNET/compare/4.0.0...4.0.1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2020-138-139-SmartstoreAG-SmartStoreNET"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SmartStoreNET before 4.0.1. It does not properly consider the need for a CustomModelPartAttribute decoration in certain ModelBase.CustomProperties situations."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T23:01:55.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/smartstore/SmartStoreNET/commit/8702c6140f4fc91956ef35dba12d24492fb3f768"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/smartstore/SmartStoreNET/compare/4.0.0...4.0.1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2020-138-139-SmartstoreAG-SmartStoreNET"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27996",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in SmartStoreNET before 4.0.1. It does not properly consider the need for a CustomModelPartAttribute decoration in certain ModelBase.CustomProperties situations."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/smartstore/SmartStoreNET/commit/8702c6140f4fc91956ef35dba12d24492fb3f768",
"refsource": "MISC",
"url": "https://github.com/smartstore/SmartStoreNET/commit/8702c6140f4fc91956ef35dba12d24492fb3f768"
},
{
"name": "https://github.com/smartstore/SmartStoreNET/compare/4.0.0...4.0.1",
"refsource": "MISC",
"url": "https://github.com/smartstore/SmartStoreNET/compare/4.0.0...4.0.1"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2020-138-139-SmartstoreAG-SmartStoreNET",
"refsource": "MISC",
"url": "https://securitylab.github.com/advisories/GHSL-2020-138-139-SmartstoreAG-SmartStoreNET"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27996",
"datePublished": "2020-10-29T17:07:54.000Z",
"dateReserved": "2020-10-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T16:25:43.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15243 (GCVE-0-2020-15243)
Vulnerability from nvd – Published: 2020-10-08 22:40 – Updated: 2024-08-04 13:08
VLAI
Title
WebApi Authentication attribute missing in Smartstore
Summary
Affected versions of Smartstore have a missing WebApi Authentication attribute. This vulnerability affects Smartstore shops in version 4.0.0 & 4.0.1 which have installed and activated the Web API plugin. Users of Smartstore 4.0.0 and 4.0.1 must merge their repository with 4.0.x or overwrite the file SmartStore.Web.Framework in the */bin* directory of the deployed shop with this file. As a workaround without updating uninstall the Web API plugin to close this vulnerability.
Severity
9.1 (Critical)
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/smartstore/SmartStoreNET/secur… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smartstore | SmartStoreNET |
Affected:
>= 4.0.0, <= 4.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:23.167Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/smartstore/SmartStoreNET/security/advisories/GHSA-8g9m-jx26-qp4h"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SmartStoreNET",
"vendor": "smartstore",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c= 4.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Smartstore have a missing WebApi Authentication attribute. This vulnerability affects Smartstore shops in version 4.0.0 \u0026 4.0.1 which have installed and activated the Web API plugin. Users of Smartstore 4.0.0 and 4.0.1 must merge their repository with 4.0.x or overwrite the file SmartStore.Web.Framework in the */bin* directory of the deployed shop with this file. As a workaround without updating uninstall the Web API plugin to close this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-08T22:40:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/smartstore/SmartStoreNET/security/advisories/GHSA-8g9m-jx26-qp4h"
}
],
"source": {
"advisory": "GHSA-8g9m-jx26-qp4h",
"discovery": "UNKNOWN"
},
"title": "WebApi Authentication attribute missing in Smartstore",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15243",
"STATE": "PUBLIC",
"TITLE": "WebApi Authentication attribute missing in Smartstore"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SmartStoreNET",
"version": {
"version_data": [
{
"version_value": "\u003e= 4.0.0, \u003c= 4.0.1"
}
]
}
}
]
},
"vendor_name": "smartstore"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Smartstore have a missing WebApi Authentication attribute. This vulnerability affects Smartstore shops in version 4.0.0 \u0026 4.0.1 which have installed and activated the Web API plugin. Users of Smartstore 4.0.0 and 4.0.1 must merge their repository with 4.0.x or overwrite the file SmartStore.Web.Framework in the */bin* directory of the deployed shop with this file. As a workaround without updating uninstall the Web API plugin to close this vulnerability."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/smartstore/SmartStoreNET/security/advisories/GHSA-8g9m-jx26-qp4h",
"refsource": "CONFIRM",
"url": "https://github.com/smartstore/SmartStoreNET/security/advisories/GHSA-8g9m-jx26-qp4h"
}
]
},
"source": {
"advisory": "GHSA-8g9m-jx26-qp4h",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15243",
"datePublished": "2020-10-08T22:40:12.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:23.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36365 (GCVE-0-2020-36365)
Vulnerability from cvelistv5 – Published: 2021-05-19 18:57 – Updated: 2024-08-04 17:23
VLAI
Summary
Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/smartstore/SmartStoreNET/issues/2113 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:10.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/smartstore/SmartStoreNET/issues/2113"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-19T18:57:46.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/smartstore/SmartStoreNET/issues/2113"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36365",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/smartstore/SmartStoreNET/issues/2113",
"refsource": "MISC",
"url": "https://github.com/smartstore/SmartStoreNET/issues/2113"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36365",
"datePublished": "2021-05-19T18:57:46.000Z",
"dateReserved": "2021-05-19T00:00:00.000Z",
"dateUpdated": "2024-08-04T17:23:10.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36364 (GCVE-0-2020-36364)
Vulnerability from cvelistv5 – Published: 2021-05-19 18:57 – Updated: 2024-08-04 17:23
VLAI
Summary
An issue was discovered in Smartstore (aka SmartStoreNET) before 4.1.0. Administration/Controllers/ImportController.cs allows path traversal (for copy and delete actions) in the ImportController.Create method via a TempFileName field.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/smartstore/SmartStoreNET/commi… | x_refsource_MISC |
| https://github.com/smartstore/SmartStoreNET/issues/2112 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:10.430Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/smartstore/SmartStoreNET/commit/5ab1e37dc8d6415d04354e1a116f3d82e9555f5c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/smartstore/SmartStoreNET/issues/2112"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Smartstore (aka SmartStoreNET) before 4.1.0. Administration/Controllers/ImportController.cs allows path traversal (for copy and delete actions) in the ImportController.Create method via a TempFileName field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-19T18:57:20.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/smartstore/SmartStoreNET/commit/5ab1e37dc8d6415d04354e1a116f3d82e9555f5c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/smartstore/SmartStoreNET/issues/2112"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36364",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Smartstore (aka SmartStoreNET) before 4.1.0. Administration/Controllers/ImportController.cs allows path traversal (for copy and delete actions) in the ImportController.Create method via a TempFileName field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/smartstore/SmartStoreNET/commit/5ab1e37dc8d6415d04354e1a116f3d82e9555f5c",
"refsource": "MISC",
"url": "https://github.com/smartstore/SmartStoreNET/commit/5ab1e37dc8d6415d04354e1a116f3d82e9555f5c"
},
{
"name": "https://github.com/smartstore/SmartStoreNET/issues/2112",
"refsource": "MISC",
"url": "https://github.com/smartstore/SmartStoreNET/issues/2112"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36364",
"datePublished": "2021-05-19T18:57:20.000Z",
"dateReserved": "2021-05-19T00:00:00.000Z",
"dateUpdated": "2024-08-04T17:23:10.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27997 (GCVE-0-2020-27997)
Vulnerability from cvelistv5 – Published: 2021-02-19 23:00 – Updated: 2024-08-04 16:25
VLAI
Summary
An issue was discovered in SmartStoreNET before 4.1.0. Lack of Cross Site Request Forgery (CSRF) protection may lead to elevation of privileges (e.g., /admin/customer/create to create an admin account).
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/smartstore/SmartStoreNET/compa… | x_refsource_MISC |
| https://securitylab.github.com/advisories/GHSL-20… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:25:44.094Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/smartstore/SmartStoreNET/compare/4.0.1...4.1.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2020-138-139-SmartstoreAG-SmartStoreNET"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SmartStoreNET before 4.1.0. Lack of Cross Site Request Forgery (CSRF) protection may lead to elevation of privileges (e.g., /admin/customer/create to create an admin account)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T23:00:25.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/smartstore/SmartStoreNET/compare/4.0.1...4.1.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2020-138-139-SmartstoreAG-SmartStoreNET"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27997",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in SmartStoreNET before 4.1.0. Lack of Cross Site Request Forgery (CSRF) protection may lead to elevation of privileges (e.g., /admin/customer/create to create an admin account)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/smartstore/SmartStoreNET/compare/4.0.1...4.1.0",
"refsource": "MISC",
"url": "https://github.com/smartstore/SmartStoreNET/compare/4.0.1...4.1.0"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2020-138-139-SmartstoreAG-SmartStoreNET",
"refsource": "MISC",
"url": "https://securitylab.github.com/advisories/GHSL-2020-138-139-SmartstoreAG-SmartStoreNET"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27997",
"datePublished": "2021-02-19T23:00:25.000Z",
"dateReserved": "2020-10-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T16:25:44.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27996 (GCVE-0-2020-27996)
Vulnerability from cvelistv5 – Published: 2020-10-29 17:07 – Updated: 2024-08-04 16:25
VLAI
Summary
An issue was discovered in SmartStoreNET before 4.0.1. It does not properly consider the need for a CustomModelPartAttribute decoration in certain ModelBase.CustomProperties situations.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/smartstore/SmartStoreNET/commi… | x_refsource_MISC |
| https://github.com/smartstore/SmartStoreNET/compa… | x_refsource_MISC |
| https://securitylab.github.com/advisories/GHSL-20… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:25:43.967Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/smartstore/SmartStoreNET/commit/8702c6140f4fc91956ef35dba12d24492fb3f768"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/smartstore/SmartStoreNET/compare/4.0.0...4.0.1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2020-138-139-SmartstoreAG-SmartStoreNET"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in SmartStoreNET before 4.0.1. It does not properly consider the need for a CustomModelPartAttribute decoration in certain ModelBase.CustomProperties situations."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T23:01:55.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/smartstore/SmartStoreNET/commit/8702c6140f4fc91956ef35dba12d24492fb3f768"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/smartstore/SmartStoreNET/compare/4.0.0...4.0.1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2020-138-139-SmartstoreAG-SmartStoreNET"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27996",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in SmartStoreNET before 4.0.1. It does not properly consider the need for a CustomModelPartAttribute decoration in certain ModelBase.CustomProperties situations."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/smartstore/SmartStoreNET/commit/8702c6140f4fc91956ef35dba12d24492fb3f768",
"refsource": "MISC",
"url": "https://github.com/smartstore/SmartStoreNET/commit/8702c6140f4fc91956ef35dba12d24492fb3f768"
},
{
"name": "https://github.com/smartstore/SmartStoreNET/compare/4.0.0...4.0.1",
"refsource": "MISC",
"url": "https://github.com/smartstore/SmartStoreNET/compare/4.0.0...4.0.1"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2020-138-139-SmartstoreAG-SmartStoreNET",
"refsource": "MISC",
"url": "https://securitylab.github.com/advisories/GHSL-2020-138-139-SmartstoreAG-SmartStoreNET"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27996",
"datePublished": "2020-10-29T17:07:54.000Z",
"dateReserved": "2020-10-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T16:25:43.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15243 (GCVE-0-2020-15243)
Vulnerability from cvelistv5 – Published: 2020-10-08 22:40 – Updated: 2024-08-04 13:08
VLAI
Title
WebApi Authentication attribute missing in Smartstore
Summary
Affected versions of Smartstore have a missing WebApi Authentication attribute. This vulnerability affects Smartstore shops in version 4.0.0 & 4.0.1 which have installed and activated the Web API plugin. Users of Smartstore 4.0.0 and 4.0.1 must merge their repository with 4.0.x or overwrite the file SmartStore.Web.Framework in the */bin* directory of the deployed shop with this file. As a workaround without updating uninstall the Web API plugin to close this vulnerability.
Severity
9.1 (Critical)
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/smartstore/SmartStoreNET/secur… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smartstore | SmartStoreNET |
Affected:
>= 4.0.0, <= 4.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:23.167Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/smartstore/SmartStoreNET/security/advisories/GHSA-8g9m-jx26-qp4h"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SmartStoreNET",
"vendor": "smartstore",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c= 4.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Smartstore have a missing WebApi Authentication attribute. This vulnerability affects Smartstore shops in version 4.0.0 \u0026 4.0.1 which have installed and activated the Web API plugin. Users of Smartstore 4.0.0 and 4.0.1 must merge their repository with 4.0.x or overwrite the file SmartStore.Web.Framework in the */bin* directory of the deployed shop with this file. As a workaround without updating uninstall the Web API plugin to close this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-08T22:40:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/smartstore/SmartStoreNET/security/advisories/GHSA-8g9m-jx26-qp4h"
}
],
"source": {
"advisory": "GHSA-8g9m-jx26-qp4h",
"discovery": "UNKNOWN"
},
"title": "WebApi Authentication attribute missing in Smartstore",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15243",
"STATE": "PUBLIC",
"TITLE": "WebApi Authentication attribute missing in Smartstore"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SmartStoreNET",
"version": {
"version_data": [
{
"version_value": "\u003e= 4.0.0, \u003c= 4.0.1"
}
]
}
}
]
},
"vendor_name": "smartstore"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Smartstore have a missing WebApi Authentication attribute. This vulnerability affects Smartstore shops in version 4.0.0 \u0026 4.0.1 which have installed and activated the Web API plugin. Users of Smartstore 4.0.0 and 4.0.1 must merge their repository with 4.0.x or overwrite the file SmartStore.Web.Framework in the */bin* directory of the deployed shop with this file. As a workaround without updating uninstall the Web API plugin to close this vulnerability."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/smartstore/SmartStoreNET/security/advisories/GHSA-8g9m-jx26-qp4h",
"refsource": "CONFIRM",
"url": "https://github.com/smartstore/SmartStoreNET/security/advisories/GHSA-8g9m-jx26-qp4h"
}
]
},
"source": {
"advisory": "GHSA-8g9m-jx26-qp4h",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15243",
"datePublished": "2020-10-08T22:40:12.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:23.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}