CVE-2022-26954 Multiple open redirect vulnerabilities in NopCommerce 4.10 through 4.50.1 allow attackers to conduct phishing attacks. The ChangePassword function is affected.

Attackers can leverage these vulnerabilities to conduct a phishing attack against users by redirecting them to an attacker-controlled web site. NopCommerce version 4.10 through 4.50.1 does not properly sanitize user input in various functions that can be exploited to conduct a phishing attack. As a result, a remote attacker can exploit these vulnerabilities to conduct phishing attacks against users. NopCommerce version 4.10 through 4.50.1 allows remote attackers to bypass authentication via vectors involving the (1) ChangePassword function, (2) SignInCustomerAsync function, (3) SuccessfulAuthentication method, or (4) NopRedirectResultExecutor class, processed by the SessionController class. NopCommerce version 4.10 through 4.50.1 does not properly validate user input in the (5) NopRedirectResultExecutor class, which can be exploited to conduct a phishing attack against users. NopCommerce version 4.10 through 4.50.1 allows remote attackers to bypass authentication via vectors involving the (6) NopRedirectResultExecutor class, processed by the SessionController class. NopCommerce version 4.10 through 4.50.1 does not properly validate user input in the (7) NopRedirectResultExecutor class, which can be exploited to conduct a phishing attack against users. NopCommerce version 4.10 through 4.50.1 does not properly validate user

Limitations

This vulnerability affects only NopCommerce versions 4.10 through 4.50.1.

NopCommerce Vulnerability Summary

NopCommerce version 4.10 through 4.50.1 has multiple vulnerabilities, including the ability for attackers to conduct phishing attacks on users and bypass authentication.

If you want to grow your business, great search engine optimization (SEO) is a must. The challenge? Many small businesses don’t have the time, skills, or expertise necessary to handle everything that comes with a solid SEO strategy. From keyword research to content evaluation, from page optimization to internal linking, it’s easy for companies to end up with a generic web presence that doesn’t inspire engagement or drive conversions.

NopCommerce - Details of the Vulnerabilities

The vulnerabilities are caused when NopCommerce fails to properly validate user input.

Timeline

Published on: 10/20/2022 11:15:00 UTC
Last modified on: 10/21/2022 16:08:00 UTC

References

• https://gist.github.com/adeadfed/baea45138b7eb29e09f6505d56b56413
• https://github.com/nopSolutions/nopCommerce/releases
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26954