MidnightBSD

Advisories for vanguard_project

CVE-2017-17873 HIGH

Vanguard Marketplace Digital Products PHP 1.4 has SQL Injection via the PATH_INFO to the /p URI.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
vanguard_project marketplace_digital_products_php 1.4.0
CVE-2017-17874 MEDIUM

Vanguard Marketplace Digital Products PHP 1.4 allows arbitrary file upload via an "Add a new product" or "Add a product preview" action, which can make a .php file accessible under a uploads/ URI.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
vanguard_project marketplace_digital_products_php 1.4.0
CVE-2017-17936 MEDIUM

Vanguard Marketplace Digital Products PHP has CSRF via /search.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
vanguard_project marketplace_digital_products_php *
CVE-2017-17937 MEDIUM

Vanguard Marketplace Digital Products PHP has XSS via the phps_query parameter to /search.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
vanguard_project marketplace_digital_products_php *
CVE-2020-15537 MEDIUM

An issue was discovered in the Vanguard plugin 2.1 for WordPress. XSS can occur via the mails/new title field, a product field to the p/ URI, or the Products Search box.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
vanguard_project vanguard 2.1