Timo Müller

#7317of 53,633
37.5Total CVSS
Vulnerabilities · 4
High
1
Critical
3
PT-2025-32142
8.1
2025-08-06
Shopware · Shopware 6.6.10.4 · CVE-2025-7954
**Name of the Vulnerable Software and Affected Versions** Shopware version 6.6.10.4 **Description** A race condition exists in the voucher system, allowing attackers to bypass voucher restrictions and exceed usage limitations. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2022-9427
9.8
2022-05-06
Twelvemonkeys · Imageio-Metadata · CVE-2021-23792
**Name of the Vulnerable Software and Affected Versions** com.twelvemonkeys.imageio:imageio-metadata versions prior to 3.7.1 **Description** The issue is related to an insecurely initialized XML parser for reading XMP Metadata, which can lead to XML External Entity (XXE) Injection. An attacker can exploit this by supplying a file with a malicious XMP segment, such as when an online profile picture is processed. If the XMP metadata of the uploaded image is parsed, the XXE vulnerability is triggered. **Recommendations** For versions prior to 3.7.1, update to version 3.7.1 or later to resolve the issue. As a temporary workaround, consider restricting the processing of XMP metadata from untrusted sources until a patch is applied. Avoid using insecurely initialized XML parsers for reading XMP Metadata to minimize the risk of exploitation.
PT-2021-15515
9.8
2021-09-01
Unknown · Elfinder.Netcore · CVE-2021-23427
**Name of the Vulnerable Software and Affected Versions** elFinder.NetCore (affected versions not specified) **Description** The issue is related to insufficient validation in the ExtractAsync function within the FileSystem, allowing for arbitrary extraction. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2021-15516
9.8
2021-09-01
Unknown · Elfinder.Netcore · CVE-2021-23428
**Name of the Vulnerable Software and Affected Versions** elFinder.NetCore (affected versions not specified) **Description** The issue arises from the use of the Path.Combine(...) method to create an absolute file path without proper sanitation of user input and a check on the generated path. This allows for a path traversal attack, enabling an attacker to escape the Files directory. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.