CVE-2019-19683

Name of the Vulnerable Software and Affected Versions nopCommerce version 4.2.0

Description The issue concerns a path traversal vulnerability via ../ in the d or f parameters to "Admin/RoxyFileman/ProcessRequest" due to a flaw in "Libraries/Nop.Services/Media/RoxyFileman/FileRoxyFilemanService.cs" within RoxyFileman, which is shipped with nopCommerce.

Recommendations For nopCommerce version 4.2.0, consider restricting access to the "Admin/RoxyFileman/ProcessRequest" endpoint to minimize the risk of exploitation. Avoid using the d or f parameters in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.