Filtered by vendor Zen-cart
Subscriptions
Total
27 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2009-4323 | 1 Zen-cart | 1 Zen Cart | 2024-09-17 | N/A |
| The installation for Zen Cart stores sensitive information and insecure programs under the (1) docs, (2) extras, and (3) zc_install folders, and (4) install.txt, which allows remote attackers to obtain sensitive information, delete the database, and conduct other attacks via a direct request, different vulnerabilities than CVE-2009-4321 and CVE-2009-4322. | ||||
| CVE-2017-10667 | 1 Zen-cart | 1 Zen Cart | 2024-09-17 | N/A |
| In index.php in Zen Cart 1.6.0, the products_id parameter can cause XSS. | ||||
| CVE-2012-5808 | 2 Firstdata, Zen-cart | 2 Linkpoint, Zen Cart | 2024-09-16 | N/A |
| The LinkPoint module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | ||||
| CVE-2012-5807 | 2 Lincolnloop, Zen-cart | 2 Authorize.net Echeck Module, Zen Cart | 2024-09-16 | N/A |
| The Authorize.Net eCheck module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | ||||
| CVE-2012-5806 | 2 Paypal, Zen-cart | 2 Payments Pro, Zen Cart | 2024-09-16 | N/A |
| The PayPal Payments Pro module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function, a different vulnerability than CVE-2012-5805. | ||||
| CVE-2012-5805 | 2 Paypal, Zen-cart | 2 Instant Payment Notification, Zen Cart | 2024-09-16 | N/A |
| The PayPal IPN functionality in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, a different vulnerability than CVE-2012-5806. | ||||
| CVE-2012-1413 | 1 Zen-cart | 1 Zen Cart | 2024-09-16 | N/A |
| Cross-site scripting (XSS) vulnerability in zc_install/includes/modules/pages/database_setup/header_php.php in Zen Cart 1.5.0 and earlier, when the software is being installed, allows remote attackers to inject arbitrary web script or HTML via the db_username parameter to zc_install/index.php. | ||||
| CVE-2024-5762 | 2 Zen-cart, Zen Cart | 2 Zen Cart, Zen Cart | 2024-08-23 | 8.1 High |
| Zen Cart findPluginAdminPage Local File Inclusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Zen Cart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the findPluginAdminPage function. The issue results from the lack of proper validation of user-supplied data prior to passing it to a PHP include function. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account. Was ZDI-CAN-21408. | ||||
| CVE-2005-3996 | 1 Zen-cart | 1 Zen Cart | 2024-08-07 | N/A |
| SQL injection vulnerability in admin/password_forgotten.php in Zen Cart 1.2.6d and earlier allows remote attackers to execute arbitrary SQL commands via the admin_email parameter. | ||||
| CVE-2006-0697 | 1 Zen-cart | 1 Zen Cart | 2024-08-07 | N/A |
| Zen Cart before 1.2.7 does not protect the admin/includes directory, which allows remote attackers to cause unknown impact via unspecified vectors, probably direct requests. | ||||
| CVE-2008-6985 | 1 Zen-cart | 1 Zen Cart | 2024-08-07 | N/A |
| Multiple SQL injection vulnerabilities in includes/classes/shopping_cart.php in Zen Cart 1.2.0 through 1.3.8a, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the id parameter when (1) adding or (2) updating the shopping cart. | ||||
| CVE-2008-6986 | 1 Zen-cart | 1 Zen Cart | 2024-08-07 | N/A |
| SQL injection vulnerability in the actionMultipleAddProduct function in includes/classes/shopping_cart.php in Zen Cart 1.3.0 through 1.3.8a, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the products_id array parameter in a multiple_products_add_product action, a different vulnerability than CVE-2008-6985. | ||||
| CVE-2008-6615 | 1 Zen-cart | 1 Zen Cart | 2024-08-07 | N/A |
| SQL injection vulnerability in index.php in Zen Software Zen Cart 2008 allows remote attackers to execute arbitrary SQL commands via the keyword parameter in the advanced_search_result page. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||||
| CVE-2008-6616 | 1 Zen-cart | 1 Zen Cart | 2024-08-07 | N/A |
| Cross-site scripting (XSS) vulnerability in index.php in Zen Software Zen Cart 2008 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter in the advanced_search_result page. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||||
| CVE-2009-4322 | 1 Zen-cart | 1 Zen Cart | 2024-08-07 | N/A |
| extras/ipn_test_return.php in Zen Cart allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message. | ||||
| CVE-2009-4321 | 1 Zen-cart | 1 Zen Cart | 2024-08-07 | N/A |
| extras/curltest.php in Zen Cart 1.3.8 and 1.3.8a, and possibly other versions, allows remote attackers to read arbitrary files via a file:// URI. NOTE: some of these details are obtained from third party information. | ||||
| CVE-2009-2255 | 1 Zen-cart | 1 Zen Cart | 2024-08-07 | N/A |
| Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/record_company.php, which allows remote attackers to execute arbitrary code by uploading a .php file via the record_company_image parameter in conjunction with a PATH_INFO of password_forgotten.php, then accessing this file via a direct request to the file in images/. | ||||
| CVE-2009-2254 | 1 Zen-cart | 1 Zen Cart | 2024-08-07 | N/A |
| Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/sqlpatch.php, which allows remote attackers to execute arbitrary SQL commands via the query_string parameter in an execute action, in conjunction with a PATH_INFO of password_forgotten.php, related to a "SQL Execution" issue. | ||||
| CVE-2011-4567 | 1 Zen-cart | 1 Zen Cart | 2024-08-07 | N/A |
| Cross-site scripting (XSS) vulnerability in includes/templates/template_default/templates/tpl_gv_send_default.php in Zen Cart before 1.5 allows remote attackers to inject arbitrary web script or HTML via the message parameter in a gv_send action to index.php, a different vulnerability than CVE-2011-4547. | ||||
| CVE-2011-4547 | 1 Zen-cart | 1 Zen Cart | 2024-08-07 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in includes/templates/template_default/common/tpl_header_test_info.php in Zen Cart 1.3.9h, when debugging is enabled, might allow remote attackers to inject arbitrary web script or HTML via the (1) main_page parameter or (2) PATH_INFO, a different vulnerability than CVE-2011-4567. | ||||