Filtered by vendor Oscommerce
Subscriptions
Filtered by product Oscommerce
Subscriptions
Total
77 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-43733 | 1 Oscommerce | 1 Oscommerce | 2023-10-19 | 5.4 Medium |
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "company_address" parameter, potentially leading to unauthorized execution of scripts within a user's web browser. | ||||
CVE-2023-43732 | 1 Oscommerce | 1 Oscommerce | 2023-10-19 | 5.4 Medium |
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "tax_class_title" parameter, potentially leading to unauthorized execution of scripts within a user's web browser. | ||||
CVE-2023-43731 | 1 Oscommerce | 1 Oscommerce | 2023-10-19 | 5.4 Medium |
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "zone_name" parameter, potentially leading to unauthorized execution of scripts within a user's web browser. | ||||
CVE-2023-43730 | 1 Oscommerce | 1 Oscommerce | 2023-10-19 | 5.4 Medium |
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "countries_name[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser. | ||||
CVE-2023-5111 | 1 Oscommerce | 1 Oscommerce | 2023-10-06 | 5.4 Medium |
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "featured_type_name[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser. | ||||
CVE-2006-6534 | 1 Oscommerce | 1 Oscommerce | 2022-10-03 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in osCommerce 3.0a3 allow remote attackers to inject arbitrary web script or HTML via the (1) set parameter to admin/modules.php, the (2) selected_box parameter to definitiva/admin/customers.php, the (3) lID parameter to admin/languages_definitions.php, or the (4) pID parameter to admin/products.php. | ||||
CVE-2012-0311 | 1 Oscommerce | 1 Oscommerce | 2022-10-03 | N/A |
Cross-site scripting (XSS) vulnerability in osCommerce 2.2MS1J before R9 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
CVE-2012-0312 | 1 Oscommerce | 2 Online Merchant, Oscommerce | 2022-10-03 | N/A |
Cross-site scripting (XSS) vulnerability in osCommerce 2.2MS1J before R9, and osCommerce Online Merchant before 2.3.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
CVE-2012-5798 | 2 Oscommerce, Paypal | 2 Oscommerce, Payflow Pro Express Checkout | 2022-10-03 | N/A |
The PayPal Pro PayFlow EC module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | ||||
CVE-2022-35212 | 1 Oscommerce | 1 Oscommerce | 2022-08-19 | 6.1 Medium |
osCommerce2 before v2.3.4.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the function tep_db_error(). | ||||
CVE-2020-23360 | 1 Oscommerce | 1 Oscommerce | 2021-02-02 | 9.8 Critical |
oscommerce v2.3.4.1 has a functional problem in user registration and password rechecking, where a non-identical password can bypass the checks in /catalog/admin/administrators.php and /catalog/password_reset.php | ||||
CVE-2020-29070 | 1 Oscommerce | 1 Oscommerce | 2020-11-27 | 4.8 Medium |
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters. | ||||
CVE-2020-27976 | 1 Oscommerce | 1 Oscommerce | 2020-10-29 | 9.8 Critical |
osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option. | ||||
CVE-2020-27975 | 1 Oscommerce | 1 Oscommerce | 2020-10-29 | 8.8 High |
osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF. | ||||
CVE-2018-18572 | 1 Oscommerce | 1 Oscommerce | 2019-08-29 | N/A |
osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Because of this filter, script files with certain PHP-related extensions (such as .phtml and .php5) didn't execute in the application. But this filter didn't prevent the '.pht' extension. Thus, remote authenticated administrators can upload '.pht' files for arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&action=new_product URI. | ||||
CVE-2018-18573 | 1 Oscommerce | 1 Oscommerce | 2019-08-28 | N/A |
osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Remote authenticated administrators can upload new '.htaccess' files (e.g., omitting .php) and subsequently achieve arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&action=new_product URI. | ||||
CVE-2006-4297 | 1 Oscommerce | 1 Oscommerce | 2018-10-17 | N/A |
SQL injection vulnerability in shopping_cart.php in osCommerce before 2.2 Milestone 2 060817 allows remote attackers to execute arbitrary SQL commands via id array parameters. | ||||
CVE-2008-4170 | 1 Oscommerce | 1 Oscommerce | 2018-10-11 | N/A |
create_account.php in osCommerce 2.2 RC 2a allows remote attackers to obtain sensitive information via an invalid dob parameter, which reveals the installation path in an error message. | ||||
CVE-2011-4543 | 1 Oscommerce | 1 Oscommerce | 2018-01-06 | N/A |
Multiple directory traversal vulnerabilities in osCommerce 3.0.2 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) set or (2) module parameter to (a) OM/Core/Site/Admin/Application/templates_modules/pages/info.php, (b) OM/Core/Site/Admin/Application/templates_modules/pages/edit.php, or (c) OM/Core/Site/Admin/Application/templates_modules/pages/uninstall.php; the (3) set parameter to OM/Core/Site/Admin/Application/templates_modules/pages/main.php; the module parameter to (4) OM/Core/Site/Admin/Application/modules_order_total/pages/edit.php, (5) OM/Core/Site/Admin/Application/modules_order_total/pages/uninstall.php, (6) OM/Core/Site/Admin/Application/modules_order_total/pages/info.php, (7) OM/Core/Site/Admin/Application/modules_geoip/pages/edit.php, (8) OM/Core/Site/Admin/Application/modules_geoip/pages/uninstall.php, (9) OM/Core/Site/Admin/Application/images/pages/main.php, (10) OM/Core/Site/Admin/Application/modules_shipping/pages/edit.php, or (11) OM/Core/Site/Admin/Application/modules_shipping/pages/uninstall.php; the filter parameter to (12) OM/Core/Site/Admin/Application/templates_modules_layout/pages/main.php, (13) OM/Core/Site/Admin/Application/templates_modules_layout/pages/new.php, or (14) OM/Core/Site/Admin/Application/templates_modules_layout/pages/edit.php; or the template parameter to (15) OM/Core/Site/Admin/Application/templates/pages/info.php, (16) OM/Core/Site/Admin/Application/templates/pages/edit.php, or (17) OM/Core/Site/Admin/Application/templates/pages/uninstall.php. | ||||
CVE-2006-5190 | 1 Oscommerce | 1 Oscommerce | 2017-10-05 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in osCommerce 2.2 Milestone 2 Update 060817 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter in the (a) banner_manager.php, (b) banner_statistics.php, (c) countries.php, (d) currencies.php, (e) languages.php, (f) manufacturers.php, (g) newsletters.php, (h) orders_status.php, (i) products_attributes.php, (j) products_expected.php, (k) reviews.php, (l) specials.php, (m) stats_products_purchased.php, (n) stats_products_viewed.php, (o) tax_classes.php, (p) tax_rates.php, or (q) zones.php scripts in /admin, and the (2) zpage parameter in (r) admin/geo_zones.php. |