VYPR

Cubecart

by Cubecart

Source repositories

CVEs (58)

  • CVE-2010-1931Jun 10, 2010
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in includes/content/cart.inc.php in CubeCart PHP Shopping cart 4.3.4 through 4.3.9 allows remote attackers to execute arbitrary SQL commands via the shipKey parameter to index.php.

  • CVE-2009-4060Nov 24, 2009
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in includes/content/viewProd.inc.php in CubeCart before 4.3.7 remote attackers to execute arbitrary SQL commands via the productId parameter.

  • CVE-2006-5107Oct 3, 2006
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in Devellion CubeCart 2.0.x allow remote attackers to execute arbitrary SQL commands via (1) the user_name parameter in admin/forgot_pass.php, (2) the order_id parameter in view_order.php, (3) the view_doc parameter in view_doc.php, and (4)…

  • CVE-2006-5108Oct 3, 2006
    risk 0.03cvss epss 0.06

    Multiple cross-site scripting (XSS) vulnerabilities in Devellion CubeCart 2.0.x allow remote attackers to inject arbitrary web script or HTML via the order_id parameter in (1) admin/print_order.php and (2) view_order.php; the (3) site_url and (4) la_search_home parameters and…

  • CVE-2006-4525Sep 1, 2006
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in CubeCart 3.0.12 and earlier, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the links array.

  • CVE-2006-4267Aug 21, 2006
    risk 0.03cvss epss 0.03

    Multiple SQL injection vulnerabilities in CubeCart 3.0.11 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) oid parameter in modules/gateway/Protx/confirmed.php and the (2) x_invoice_num parameter in modules/gateway/Authorize/confirmed.php.

  • CVE-2006-0064Jan 3, 2006
    risk 0.03cvss epss 0.02

    PHP remote file include vulnerability in includes/orderSuccess.inc.php in CubeCart allows remote attackers to execute arbitrary PHP code via a URL in the glob[rootDir] parameter.

  • CVE-2005-3152Oct 5, 2005
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.3 allow remote attackers to inject arbitrary web script or HTML via the redir parameter to (1) cart.php or (2) index.php, or (3) the searchStr parameter in a viewCat action to index.php. Note: vectors (1) and…

  • CVE-2005-0443May 2, 2005
    risk 0.03cvss epss 0.05

    index.php in CubeCart 2.0.4 allows remote attackers to (1) obtain the full path for the web server or (2) conduct cross-site scripting (XSS) attacks via an invalid language parameter, which echoes the parameter in a PHP error message.

  • CVE-2005-1033May 2, 2005
    risk 0.03cvss epss 0.03

    CubeCart 2.0.6 allows remote attackers to obtain sensitive information via an invalid (1) language parameter to index.php, (2) PHPSESSID parameter to index.php, (3) product parameter to tellafriend.php, (4) add parameter to view_cart.php, or (5) product parameter to…

  • CVE-2005-0606May 2, 2005
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in settings.inc.php for CubeCart 2.0.0 through 2.0.5, as used in multiple PHP files, allows remote attackers to inject arbitrary HTML or web script via the (1) cat_id, (2) PHPSESSID, (3) view_doc, (4) product, (5) session, (6) catname,…

  • CVE-2004-1580Dec 31, 2004
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in index.php in CubeCart 2.0.1 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter.

  • CVE-2024-34832Jun 6, 2024
    risk 0.01cvss epss 0.05

    Directory Traversal vulnerability in CubeCart v.6.5.5 and before allows an attacker to execute arbitrary code via a crafted file uploaded to the _g and node parameters.

  • CVE-2025-59413Sep 22, 2025
    risk 0.00cvss epss 0.00

    CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the newsletter subscription endpoint that allows an attacker to unsubscribe any user without their consent. By changing the value of the force_unsubscribe parameter in the POST request to…

  • CVE-2025-59412Sep 22, 2025
    risk 0.00cvss epss 0.00

    CubeCart is an ecommerce software solution. Prior to version 6.5.11, a vulnerability exists in the product reviews feature where user-supplied input is not properly sanitized before being displayed. An attacker can submit HTML tags inside the review description field. Once the…

  • CVE-2025-59411Sep 22, 2025
    risk 0.00cvss epss 0.00

    CubeCart is an ecommerce software solution. Prior to version 6.5.11, the contact form’s Enquiry field accepts raw HTML and that HTML is included verbatim in the email sent to the store admin. By submitting HTML in the Enquiry, the admin receives an email containing that HTML.…

  • CVE-2025-59335Sep 22, 2025
    risk 0.00cvss epss 0.00

    CubeCart is an ecommerce software solution. Prior to version 6.5.11, there is an absence of automatic session expiration following a user's password change. This oversight poses a security risk, as if a user forgets to log out from a location where they accessed their account,…

  • CVE-2024-33438Apr 29, 2024
    risk 0.00cvss epss 0.01

    File Upload vulnerability in CubeCart before 6.5.5 allows an authenticated user to execute arbitrary code via a crafted .phar file.

  • CVE-2023-47675Nov 17, 2023
    risk 0.00cvss epss 0.01

    CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary OS command.

  • CVE-2023-47283Nov 17, 2023
    risk 0.00cvss epss 0.01

    Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to obtain files in the system.