Cubecart
Sign in to watchby Cubecart
CVEs (20)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2013-1465 | Cri | 0.69 | 9.8 | 0.31 | Feb 8, 2013 | The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object. | |
| CVE-2026-34018 | Cri | 0.64 | 9.8 | 0.00 | Apr 17, 2026 | An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product. | |
| CVE-2026-21719 | Hig | 0.47 | 7.2 | 0.00 | Apr 17, 2026 | An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command. | |
| CVE-2017-2090 | Med | 0.43 | 6.5 | 0.03 | Apr 28, 2017 | Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors. | |
| CVE-2017-2098 | Med | 0.42 | 6.5 | 0.02 | Apr 28, 2017 | Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors. | |
| CVE-2017-2117 | Med | 0.32 | 4.9 | 0.02 | Apr 28, 2017 | Directory traversal vulnerability in CubeCart versions prior to 6.1.5 allows attacker with administrator rights to read arbitrary files via unspecified vectors. | |
| CVE-2026-35496 | Low | 0.18 | 2.7 | 0.00 | Apr 17, 2026 | A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to access higher-level directories that should not be accessible. | |
| CVE-2012-0865 | 0.04 | — | 0.11 | Feb 21, 2012 | Multiple open redirect vulnerabilities in CubeCart 3.0.20 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) r parameter to switch.php or (2) goto parameter to admin/login.php. | ||
| CVE-2014-2341 | 0.03 | — | 0.05 | Apr 22, 2014 | Session fixation vulnerability in CubeCart before 5.2.9 allows remote attackers to hijack web sessions via the PHPSESSID parameter. | ||
| CVE-2010-1931 | 0.03 | — | 0.02 | Jun 10, 2010 | SQL injection vulnerability in includes/content/cart.inc.php in CubeCart PHP Shopping cart 4.3.4 through 4.3.9 allows remote attackers to execute arbitrary SQL commands via the shipKey parameter to index.php. | ||
| CVE-2009-4060 | 0.03 | — | 0.00 | Nov 24, 2009 | SQL injection vulnerability in includes/content/viewProd.inc.php in CubeCart before 4.3.7 remote attackers to execute arbitrary SQL commands via the productId parameter. | ||
| CVE-2009-3904 | 0.03 | — | 0.05 | Nov 6, 2009 | classes/session/cc_admin_session.php in CubeCart 4.3.4 does not properly restrict administrative access permissions, which allows remote attackers to bypass restrictions and gain administrative access via a HTTP request that contains an empty (1) sessID (ccAdmin cookie), (2) X_CLUSTER_CLIENT_IP header, or (3) User-Agent header. | ||
| CVE-2023-47675 | 0.00 | — | 0.01 | Nov 17, 2023 | CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary OS command. | ||
| CVE-2023-47283 | 0.00 | — | 0.00 | Nov 17, 2023 | Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to obtain files in the system. | ||
| CVE-2023-42428 | 0.00 | — | 0.02 | Nov 17, 2023 | Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to delete directories and files in the system. | ||
| CVE-2023-38130 | 0.00 | — | 0.01 | Nov 17, 2023 | Cross-site request forgery (CSRF) vulnerability in CubeCart prior to 6.5.3 allows a remote unauthenticated attacker to delete data in the system. | ||
| CVE-2015-6928 | 0.00 | — | 0.01 | Sep 28, 2015 | classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x before 6.0.7 does not properly validate that a password reset request was made, which allows remote attackers to change the administrator password via a recovery request with a space character in the validate parameter and the administrator email in the email parameter. | ||
| CVE-2010-4903 | 0.00 | — | 0.00 | Oct 8, 2011 | SQL injection vulnerability in index.php in CubeCart 4.3.3 allows remote attackers to execute arbitrary SQL commands via the searchStr parameter. | ||
| CVE-2011-3724 | 0.00 | — | 0.00 | Sep 23, 2011 | CubeCart 4.4.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/shipping/USPS/calc.php and certain other files. | ||
| CVE-2008-1550 | 0.00 | — | 0.00 | Mar 31, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in index.php in CubeCart 4.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the _a parameter in a searchStr action and the (2) Submit parameter. |