A vulnerability was found in ShopXO up to 6.1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file `extend/base/Uploader.php`. The manipulation of the argument source leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270367. NOTE: The original disclosure confuses CSRF with SSRF.

Affected Packages

Packagist shopxo/shopxo

Affected versions: 0 (last affected: 6.1.0)

Related CVEs

CVE-2024-6524

Key Information

GHSA ID

GHSA-c96r-38gv-grp4

Published

July 5, 2024 12:31 PM

Last Modified

July 8, 2024 7:04 PM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

shopxo/shopxo

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 15, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.