{"id":"CVE-2024-6524","details":"A vulnerability was found in ShopXO up to 6.1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file extend/base/Uploader.php. The manipulation of the argument source leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270367. NOTE: The original disclosure confuses CSRF with SSRF.","aliases":["GHSA-c96r-38gv-grp4"],"modified":"2026-04-10T05:19:22.878466Z","published":"2024-07-05T12:15:02.090Z","references":[{"type":"ADVISORY","url":"https://vuldb.com/?submit.365173"},{"type":"REPORT","url":"https://vuldb.com/?id.270367"},{"type":"REPORT","url":"https://vuldb.com/?ctiid.270367"},{"type":"EVIDENCE","url":"https://github.com/J1rrY-learn/learn/blob/main/shopxo_ssrf.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gongfuxiang/shopxo","events":[{"introduced":"0"},{"last_affected":"9158ef19251c912e10a0f8fd1347fbc53323e137"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"6.1.0"}]}}],"versions":["v1.1.0","v1.2.0","v1.7.0","v1.8.0","v1.9.0","v1.9.2","v1.9.3","v2.0.0","v2.0.1","v2.1.0","v2.2.1","v2.2.2","v2.2.3","v2.2.4","v2.2.5","v2.2.6","v2.2.7","v2.2.9","v2.3.1","v2.3.2","v2.3.3","v3.0.0","v3.0.1","v3.0.2","v3.0.3","v4.0.0","v5.0.0","v6.0.0","v6.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-6524.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}