Bagisto vulnerable to Insecure Direct Object Reference (IDOR)
Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.0 allows an attacker to obtain sensitive information via the invoice ID parameter.
Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.0 allows an attacker to obtain sensitive information via the invoice ID parameter.
Bagisto is vulnerable to cross-site scripting (XSS) via png file upload vulnerability in product review option.
Cross Site Request Forgery vulnerability in Bagisto before v.1.3.2 allows an attacker to execute arbitrary code via a crafted HTML script.
Cross Site Scripting vulnerability in webkil Bagisto v.1.5.0 and before allows an attacker to execute arbitrary code via a crafted SVG file uplad.
Bagisto v1.5.1 is vulnerable to Server-Side Template Injection (SSTI).
In Webkul Bagisto, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers.
Bagisto allows CSRF under /admin URIs.