Trungtin1998

**Name of the Vulnerable Software and Affected Versions** nopCommerce version 4.50.1 **Description** The issue allows an attacker, with the role of a customer, to inject JavaScript code into the `First name` or `Last name` fields at Customer Info, enabling Cross Site Scripting (XSS) attacks. **Recommendations** For nopCommerce version 4.50.1, as a temporary workaround, consider restricting the input for `First name` and `Last name` fields to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** nopCommerce version 4.50.1 **Description** The issue allows an attacker to upload an arbitrary file to the system, exploiting a Cross Site Scripting (XSS) vulnerability. This can be done through the Apply for vendor account feature. **Recommendations** For nopCommerce version 4.50.1, as a temporary workaround, consider restricting access to the Apply for vendor account feature until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** nopCommerce version 4.50.1 **Description** The issue allows a remote attacker to execute arbitrary JavaScript code at the client's browser via Cross Site Scripting (XSS) through the `Text` parameter when creating a new post in the forums. **Recommendations** For nopCommerce version 4.50.1, consider restricting access to the `Text` parameter in the forums to minimize the risk of exploitation until a patch is available. Avoid using the `Text` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.