npm package
erxes
pkg:npm/erxes
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-57190 | — | < 1.6.1 | 1.6.1 | Jun 10, 2025 | Erxes <1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint. | ||
| CVE-2024-57189 | — | < 1.6.2 | 1.6.2 | Jun 10, 2025 | In Erxes <1.6.2, an authenticated attacker can write to arbitrary files on the system using a Path Traversal vulnerability in the importHistoriesCreate GraphQL mutation handler. | ||
| CVE-2024-57186 | — | < 1.6.2 | 1.6.2 | Jun 10, 2025 | In Erxes <1.6.2, an unauthenticated attacker can read arbitrary files from the system using a Path Traversal vulnerability in the /read-file endpoint handler. | ||
| CVE-2021-32853 | — | <= 1.0.1 | — | Feb 20, 2023 | Erxes, an experience operating system (XOS) with a set of plugins, is vulnerable to cross-site scripting in versions 0.22.3 and prior. This results in client-side code execution. The victim must follow a malicious link or be redirected there from malicious web site. There are no |
- CVE-2024-57190Jun 10, 2025affected < 1.6.1fixed 1.6.1
Erxes <1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint.
- CVE-2024-57189Jun 10, 2025affected < 1.6.2fixed 1.6.2
In Erxes <1.6.2, an authenticated attacker can write to arbitrary files on the system using a Path Traversal vulnerability in the importHistoriesCreate GraphQL mutation handler.
- CVE-2024-57186Jun 10, 2025affected < 1.6.2fixed 1.6.2
In Erxes <1.6.2, an unauthenticated attacker can read arbitrary files from the system using a Path Traversal vulnerability in the /read-file endpoint handler.
- CVE-2021-32853Feb 20, 2023affected <= 1.0.1
Erxes, an experience operating system (XOS) with a set of plugins, is vulnerable to cross-site scripting in versions 0.22.3 and prior. This results in client-side code execution. The victim must follow a malicious link or be redirected there from malicious web site. There are no