In Kartatopia PilusCart 1.4.1, the parameter filename in the file catalog.php is mishandled, leading to ../ Local File Disclosure.
7.5CVSS
7.4AI Score
0.645EPSS
PilusCart 1.4.1 is vulnerable to index.php?module=users&action=newUser CSRF, leading to the addition of a new user as administrator.
8.8CVSS
8.5AI Score
0.001EPSS