CVE-2022-26954

Published: Oct 20, 2022

Modified: May 8, 2025

PUBLISHED

Description

Multiple open redirect vulnerabilities in NopCommerce 4.10 through 4.50.1 allow remote attackers to conduct phishing attacks by redirecting users to attacker-controlled web sites via the returnUrl parameter, processed by the (1) ChangePassword function, (2) SignInCustomerAsync function, (3) SuccessfulAuthentication method, or (4) NopRedirectResultExecutor class.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/nopSolutions/nopCommerce/releases

https://gist.github.com/adeadfed/baea45138b7eb29e09f6505d56b56413

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-26954

Description

Affected Products

References