CVE-2019-11519

Name of the Vulnerable Software and Affected Versions nopCommerce versions prior to 4.10

Description The issue concerns an XXE vulnerability in the LocalizationService.cs file. This vulnerability can be exploited via the "Configurations -> Languages -> Edit Language -> Import Resources -> Upload XML file" screen, allowing for potential XML eXternal Entity (XXE) attacks.

Recommendations For versions prior to 4.10, as a temporary workaround, consider disabling the XML file upload functionality in the "Configurations -> Languages -> Edit Language -> Import Resources" section until a patch is available. Restrict access to the LocalizationService.cs file to minimize the risk of exploitation. Avoid using the XML upload feature in the affected screen until the issue is resolved.