Filtered by vendor Oscommerce Subscriptions
Total 89 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2020-29070 1 Oscommerce 1 Oscommerce 2024-08-04 4.8 Medium
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
CVE-2020-27975 1 Oscommerce 1 Oscommerce 2024-08-04 8.8 High
osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF.
CVE-2020-27976 1 Oscommerce 1 Oscommerce 2024-08-04 9.8 Critical
osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option.
CVE-2020-23360 1 Oscommerce 1 Oscommerce 2024-08-04 9.8 Critical
oscommerce v2.3.4.1 has a functional problem in user registration and password rechecking, where a non-identical password can bypass the checks in /catalog/admin/administrators.php and /catalog/password_reset.php
CVE-2020-12058 1 Oscommerce 1 Ce Phoenix 2024-08-04 6.1 Medium
Several XSS vulnerabilities in osCommerce CE Phoenix before 1.0.6.0 allow an attacker to inject and execute arbitrary JavaScript code. The malicious code can be injected as follows: the page parameter to catalog/admin/order_status.php, catalog/admin/tax_rates.php, catalog/admin/languages.php, catalog/admin/countries.php, catalog/admin/tax_classes.php, catalog/admin/reviews.php, or catalog/admin/zones.php; or the zpage or spage parameter to catalog/admin/geo_zones.php.
CVE-2022-35212 1 Oscommerce 1 Oscommerce 2024-08-03 6.1 Medium
osCommerce2 before v2.3.4.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the function tep_db_error().
CVE-2023-6609 1 Oscommerce 1 Oscommerce 2024-08-02 3.5 Low
A vulnerability was found in osCommerce 4. It has been classified as problematic. This affects an unknown part of the file /b2b-supermarket/catalog/all-products. The manipulation of the argument keywords with the input %27%22%3E%3Cimg%2Fsrc%3D1+onerror%3Dalert%28document.cookie%29%3E leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247245 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2023-6579 1 Oscommerce 1 Oscommerce 2024-08-02 7.3 High
A vulnerability, which was classified as critical, has been found in osCommerce 4. Affected by this issue is some unknown functionality of the file /b2b-supermarket/shopping-cart of the component POST Parameter Handler. The manipulation of the argument estimate[country_id] leads to sql injection. The attack may be launched remotely. The identifier of this vulnerability is VDB-247160. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2023-6296 1 Oscommerce 1 Oscommerce 2024-08-02 4.3 Medium
A vulnerability was found in osCommerce 4. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /catalog/compare of the component Instant Message Handler. The manipulation of the argument compare with the input 40dz4iq"><script>alert(1)</script>zohkx leads to cross site scripting. The attack may be launched remotely. VDB-246122 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.