lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAFmK-GwSHH=Cbg1mbWGRea1ngRULgHwfK894M9ADWr5V-rbQng@mail.gmail.com>
Date: Sun, 17 Aug 2025 23:01:41 -0400
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Insufficient Resource Allocation Limits in nopCommerce v4.10
 and v4.80.3 Excel Import Functionality

nopCommerce is vulnerable to Insufficient Resource Allocation Limits when
handling large Excel file imports. Although the application provides a
warning message recommending that users avoid importing more than 500–1,000
records at once due to memory constraints, the system does not enforce hard
limits on file size, record count, or concurrent imports.

An attacker can exploit this by uploading excessively large Excel files or
automating multiple simultaneous uploads (e.g., using Burp Suite or another
proxy tool). This results in resource exhaustion on the application server,
leading to significant performance degradation and potential denial of
service (DoS) conditions.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ