{"id":"GHSA-24cf-848g-762c","summary":"ShopXO Vulnerable to Server-Side Request Forgery (SSRF) and Cross-Site Scripting (XSS)","details":"shopxo v6.4.0 has a ssrf/xss vulnerability in multiple places.","aliases":["CVE-2025-28094"],"modified":"2025-04-01T14:42:18.172289Z","published":"2025-03-29T00:31:34Z","database_specific":{"github_reviewed":true,"github_reviewed_at":"2025-04-01T14:20:27Z","severity":"MODERATE","nvd_published_at":"2025-03-28T22:15:18Z","cwe_ids":["CWE-79","CWE-918"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-28094"},{"type":"PACKAGE","url":"https://github.com/gongfuxiang/shopxo"},{"type":"WEB","url":"https://www.yuque.com/morysummer/vx41bz/echzollcdlmllgqo"}],"affected":[{"package":{"name":"shopxo/shopxo","ecosystem":"Packagist","purl":"pkg:composer/shopxo/shopxo"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"6.4.0"}]}],"versions":["2.1.0","v1.1.0","v1.2.0","v1.3.0","v1.4.0","v1.5.0","v1.6.0","v1.7.0","v1.8.0","v1.8.1","v1.9.0","v1.9.1","v1.9.2","v1.9.3","v2.0.0","v2.0.1","v2.0.2","v2.0.3","v2.2.0","v2.2.1","v2.2.2","v2.2.3","v2.2.4","v2.2.5","v2.2.6","v2.2.7","v2.2.8","v2.2.9","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v3.0.0","v3.0.1","v3.0.2","v3.0.3","v4.0.0","v5.0.0","v6.0.0","v6.1.0","v6.2.0","v6.3.0","v6.4.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-24cf-848g-762c/GHSA-24cf-848g-762c.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"}]}