CVE-2024-6524

A vulnerability was found in ShopXO up to 6.1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file extend/base/Uploader.php. The manipulation of the argument source leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270367. NOTE: The original disclosure confuses CSRF with SSRF.
References
Link Resource
https://github.com/J1rrY-learn/learn/blob/main/shopxo_ssrf.md Exploit
https://vuldb.com/?ctiid.270367 Permissions Required VDB Entry
https://vuldb.com/?id.270367 Permissions Required VDB Entry
https://vuldb.com/?submit.365173 Third Party Advisory VDB Entry
Configurations

Configuration 1 (hide)

cpe:2.3:a:shopxo:shopxo:*:*:*:*:*:*:*:*

History

08 Jul 2024, 15:33

Type Values Removed Values Added
CVSS v2 : 6.5
v3 : 5.5
v2 : 6.5
v3 : 8.8
CPE cpe:2.3:a:shopxo:shopxo:*:*:*:*:*:*:*:*
References () https://github.com/J1rrY-learn/learn/blob/main/shopxo_ssrf.md - () https://github.com/J1rrY-learn/learn/blob/main/shopxo_ssrf.md - Exploit
References () https://vuldb.com/?ctiid.270367 - () https://vuldb.com/?ctiid.270367 - Permissions Required, VDB Entry
References () https://vuldb.com/?id.270367 - () https://vuldb.com/?id.270367 - Permissions Required, VDB Entry
References () https://vuldb.com/?submit.365173 - () https://vuldb.com/?submit.365173 - Third Party Advisory, VDB Entry
First Time Shopxo shopxo
Shopxo

05 Jul 2024, 12:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-05 12:15

Updated : 2024-07-08 15:33


NVD link : CVE-2024-6524

Mitre link : CVE-2024-6524

CVE.ORG link : CVE-2024-6524


JSON object : View

Products Affected

shopxo

  • shopxo
CWE
CWE-918

Server-Side Request Forgery (SSRF)