VYPR

Gambio

by Gambio

CVEs (10)

  • CVE-2024-23759CriFeb 12, 2024
    risk 0.71cvss 9.8epss 0.48

    Deserialization of Untrusted Data in Gambio through 4.9.2.0 allows attackers to run arbitrary code via "search" parameter of the Parcelshopfinder/AddAddressBookEntry" function.

  • CVE-2024-23763CriFeb 12, 2024
    risk 0.64cvss 9.8epss 0.01

    SQL Injection vulnerability in Gambio through 4.9.2.0 allows attackers to run arbitrary SQL commands via crafted GET request using modifiers[attribute][] parameter.

  • CVE-2024-23761CriFeb 12, 2024
    risk 0.64cvss 9.8epss 0.01

    Server Side Template Injection in Gambio 4.9.2.0 allows attackers to run arbitrary code via crafted smarty email template.

  • CVE-2026-34408CriMay 5, 2026
    risk 0.59cvss 9.1epss 0.00

    An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if the ID is known.

  • CVE-2020-10984HigJul 28, 2020
    risk 0.57cvss 8.8epss 0.01

    Gambio GX before 4.0.1.0 allows admin/admin.php CSRF.

  • CVE-2024-23762HigFeb 12, 2024
    risk 0.51cvss 7.8epss 0.00

    Unrestricted File Upload vulnerability in Content Manager feature in Gambio 4.9.2.0 allows attackers to execute arbitrary code via upload of crafted PHP file.

  • CVE-2020-10983MedJul 28, 2020
    risk 0.32cvss 4.9epss 0.01

    Gambio GX before 4.0.1.0 allows SQL Injection in admin/mobile.php.

  • CVE-2020-10982MedJul 28, 2020
    risk 0.32cvss 4.9epss 0.01

    Gambio GX before 4.0.1.0 allows SQL Injection in admin/gv_mail.php.

  • CVE-2020-10985MedJul 28, 2020
    risk 0.31cvss 4.8epss 0.01

    Gambio GX before 4.0.1.0 allows XSS in admin/coupon_admin.php.

  • CVE-2024-23760LowFeb 12, 2024
    risk 0.18cvss 2.7epss 0.00

    Cleartext Storage of Sensitive Information in Gambio 4.9.2.0 allows attackers to obtain sensitive information via error-handler.log.json and legacy-error-handler.log.txt under the webroot.