Simplcommerce
Products
1- 7 CVEs
Recent CVEs
7| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-50944 | Cri | 0.64 | 9.8 | 0.01 | Dec 27, 2024 | Integer overflow vulnerability exists in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f in the shopping cart functionality. The issue lies in the quantity parameter in the CartController's AddToCart method. | ||
| CVE-2024-50945 | Hig | 0.49 | 7.5 | 0.01 | Dec 27, 2024 | An improper access control vulnerability exists in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f, allowing users to submit reviews without verifying if they have purchased the product. | ||
| CVE-2020-27478 | Hig | 0.46 | 7.1 | 0.00 | Apr 30, 2024 | Cross Site Scripting vulnerability found in Simplcommerce v.40734964b0811f3cbaf64b6dac261683d256f961 thru 3103357200c70b4767986544e01b19dbf11505a7 allows a remote attacker to execute arbitrary code via a crafted script to the search bar feature. | ||
| CVE-2024-53476 | Med | 0.38 | 5.9 | 0.01 | Dec 27, 2024 | A race condition vulnerability in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f allows attackers to bypass inventory restrictions by simultaneously submitting purchase requests from multiple accounts for the same product. This can lead to overselling when… | ||
| CVE-2020-29587 | Med | 0.35 | 5.4 | 0.01 | Jan 14, 2021 | SimplCommerce 1.0.0-rc uses the Bootbox.js library, which allows creation of programmatic dialog boxes using Bootstrap modals. The Bootbox.js library intentionally does not perform any sanitization of user input, which results in a DOM XSS, because it uses the jQuery .html()… | ||
| CVE-2026-9591 | 0.00 | — | 0.00 | Jun 17, 2026 | Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF… | |||
| CVE-2026-11975 | 0.00 | — | 0.00 | Jun 17, 2026 | Stored cross-site scripting (XSS) in NewsItemApiController In SimplCommerce prior to commit 6142d3b5 allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML sanitization and rendered… |
- risk 0.64cvss 9.8epss 0.01
Integer overflow vulnerability exists in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f in the shopping cart functionality. The issue lies in the quantity parameter in the CartController's AddToCart method.
- risk 0.49cvss 7.5epss 0.01
An improper access control vulnerability exists in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f, allowing users to submit reviews without verifying if they have purchased the product.
- risk 0.46cvss 7.1epss 0.00
Cross Site Scripting vulnerability found in Simplcommerce v.40734964b0811f3cbaf64b6dac261683d256f961 thru 3103357200c70b4767986544e01b19dbf11505a7 allows a remote attacker to execute arbitrary code via a crafted script to the search bar feature.
- risk 0.38cvss 5.9epss 0.01
A race condition vulnerability in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f allows attackers to bypass inventory restrictions by simultaneously submitting purchase requests from multiple accounts for the same product. This can lead to overselling when…
- risk 0.35cvss 5.4epss 0.01
SimplCommerce 1.0.0-rc uses the Bootbox.js library, which allows creation of programmatic dialog boxes using Bootstrap modals. The Bootbox.js library intentionally does not perform any sanitization of user input, which results in a DOM XSS, because it uses the jQuery .html()…
- CVE-2026-9591Jun 17, 2026risk 0.00cvss —epss 0.00
Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF…
- CVE-2026-11975Jun 17, 2026risk 0.00cvss —epss 0.00
Stored cross-site scripting (XSS) in NewsItemApiController In SimplCommerce prior to commit 6142d3b5 allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML sanitization and rendered…