CVE-2018-12519

HIGH

ShopNx through 2017-11-17 - Unrestricted Upload of File with Dangerous Type

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-12519. PoCs published by L0RD.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file upload vulnerability in ShopNx 1, allowing attackers to upload malicious HTML files containing JavaScript code. The vulnerability arises due to insufficient input sanitization, enabling potential XSS attacks.

Description

An issue was discovered in ShopNx through 2017-11-17. The vulnerability allows a remote attacker to upload any malicious file to a Node.js application. An attacker can upload a malicious HTML file that contains a JavaScript payload to steal a user's credentials.

Exploits (1)

exploitdb WORKING POC

by L0RD · textwebappsphp

https://www.exploit-db.com/exploits/44978

View Code ZIP pw:eip

This exploit demonstrates an arbitrary file upload vulnerability in ShopNx 1, allowing attackers to upload malicious HTML files containing JavaScript code. The vulnerability arises due to insufficient input sanitization, enabling potential XSS attacks.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: ShopNx - Angular5 Single Page Shopping Cart Application 1

Auth required

Prerequisites: Valid user credentials · Access to the edit profile page

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44978/

Exploit, Third Party Advisory x_refsource_misc

https://cxsecurity.com/issue/WLB-2018060185

Scores

CVSS v3 8.8

EPSS 0.0786

EPSS Percentile 93.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

codenx/shopnx

Published Jun 19, 2018

Tracked Since Feb 18, 2026