This page lists publicly disclosed CVE vulnerabilities affecting exrick xmall (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2023-36331 | Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users' order details via manipulation of the query parameter userId. | [email protected] | 8.2 | 0.05% | 2026-01-12 | 2026-01-22 |
| CVE-2025-65540 | Multiple Cross-Site Scripting (XSS) vulnerabilities exist in xmall v1.1 due to improper handling of user-supplied data. User input fields such as username and description are directly rendered into HTML without proper sanitization or encoding, allowing attackers to inject and execute malicious scripts. | [email protected] | 6.1 | 0.03% | 2025-11-29 | 2025-12-23 |
| CVE-2025-45612 | Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index. | [email protected] | 9.8 | 0.28% | 2025-05-05 | 2025-06-16 |
| CVE-2025-28399 | An issue in Erick xmall v.1.1 and before allows a remote attacker to escalate privileges via the updateAddress method of the Address Controller class. | [email protected] | 9.8 | 1.18% | 2025-04-15 | 2025-04-25 |
| CVE-2024-24112 | xmall v1.1 was discovered to contain a SQL injection vulnerability via the orderDir parameter. | [email protected] | 9.8 | 81.57% | 2024-02-06 | 2025-05-08 |
| CVE-2021-43432 | A Cross Site Scripting (XSS) vulnerability exists in Exrick XMall Admin Panel as of 11/7/2021 via the GET parameter in product-add.jsp. | [email protected] | 6.1 | 0.29% | 2022-04-07 | 2024-11-21 |