Filtered by vendor Saleor Subscriptions
Total 6 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-3294 1 Saleor 1 React-storefront 2024-12-17 6.1 Medium
Cross-site Scripting (XSS) - DOM in GitHub repository saleor/react-storefront prior to c29aab226f07ca980cc19787dcef101e11b83ef7.
CVE-2023-32694 1 Saleor 1 Saleor 2024-11-21 4.8 Medium
Saleor Core is a composable, headless commerce API. Saleor's `validate_hmac_signature` function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could affect the database integrity such as marking an order as paid when it is not. This issue has been patched in versions 3.7.68, 3.8.40, 3.9.49, 3.10.36, 3.11.35, 3.12.25, and 3.13.16.
CVE-2023-26052 1 Saleor 1 Saleor 2024-11-21 3.7 Low
Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like infrastructure details in unauthenticated requests. This issue has been patched in versions 3.1.48, 3.7.59, 3.8.0, 3.9.27, 3.10.14 and 3.11.12.
CVE-2023-26051 1 Saleor 1 Saleor 2024-11-21 6.5 Medium
Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like user email address in staff-authenticated requests.
CVE-2022-39275 1 Saleor 1 Saleor 2024-11-21 5.3 Medium
Saleor is a headless, GraphQL commerce platform. In affected versions some GraphQL mutations were not properly checking the ID type input which allowed to access database objects that the authenticated user may not be allowed to access. This vulnerability can be used to expose the following information: Estimating database row counts from tables with a sequential primary key or Exposing staff user and customer email addresses and full name through the `assignNavigation()` mutation. This issue has been patched in main and backported to multiple releases (3.7.17, 3.6.18, 3.5.23, 3.4.24, 3.3.26, 3.2.14, 3.1.24). Users are advised to upgrade. There are no known workarounds for this issue.
CVE-2022-0932 1 Saleor 1 Saleor 2024-11-21 6.5 Medium
Missing Authorization in GitHub repository saleor/saleor prior to 3.1.2.