Cubecart
by Cubecart
Source repositories
CVEs (58)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2010-1931 | 0.03 | — | 0.01 | Jun 10, 2010 | SQL injection vulnerability in includes/content/cart.inc.php in CubeCart PHP Shopping cart 4.3.4 through 4.3.9 allows remote attackers to execute arbitrary SQL commands via the shipKey parameter to index.php. | |||
| CVE-2009-4060 | 0.03 | — | 0.02 | Nov 24, 2009 | SQL injection vulnerability in includes/content/viewProd.inc.php in CubeCart before 4.3.7 remote attackers to execute arbitrary SQL commands via the productId parameter. | |||
| CVE-2006-5107 | 0.03 | — | 0.01 | Oct 3, 2006 | Multiple SQL injection vulnerabilities in Devellion CubeCart 2.0.x allow remote attackers to execute arbitrary SQL commands via (1) the user_name parameter in admin/forgot_pass.php, (2) the order_id parameter in view_order.php, (3) the view_doc parameter in view_doc.php, and (4)… | |||
| CVE-2006-5108 | 0.03 | — | 0.06 | Oct 3, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in Devellion CubeCart 2.0.x allow remote attackers to inject arbitrary web script or HTML via the order_id parameter in (1) admin/print_order.php and (2) view_order.php; the (3) site_url and (4) la_search_home parameters and… | |||
| CVE-2006-4525 | 0.03 | — | 0.03 | Sep 1, 2006 | Cross-site scripting (XSS) vulnerability in CubeCart 3.0.12 and earlier, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the links array. | |||
| CVE-2006-4267 | 0.03 | — | 0.03 | Aug 21, 2006 | Multiple SQL injection vulnerabilities in CubeCart 3.0.11 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) oid parameter in modules/gateway/Protx/confirmed.php and the (2) x_invoice_num parameter in modules/gateway/Authorize/confirmed.php. | |||
| CVE-2006-0064 | 0.03 | — | 0.02 | Jan 3, 2006 | PHP remote file include vulnerability in includes/orderSuccess.inc.php in CubeCart allows remote attackers to execute arbitrary PHP code via a URL in the glob[rootDir] parameter. | |||
| CVE-2005-3152 | 0.03 | — | 0.02 | Oct 5, 2005 | Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.3 allow remote attackers to inject arbitrary web script or HTML via the redir parameter to (1) cart.php or (2) index.php, or (3) the searchStr parameter in a viewCat action to index.php. Note: vectors (1) and… | |||
| CVE-2005-0443 | 0.03 | — | 0.05 | May 2, 2005 | index.php in CubeCart 2.0.4 allows remote attackers to (1) obtain the full path for the web server or (2) conduct cross-site scripting (XSS) attacks via an invalid language parameter, which echoes the parameter in a PHP error message. | |||
| CVE-2005-1033 | 0.03 | — | 0.03 | May 2, 2005 | CubeCart 2.0.6 allows remote attackers to obtain sensitive information via an invalid (1) language parameter to index.php, (2) PHPSESSID parameter to index.php, (3) product parameter to tellafriend.php, (4) add parameter to view_cart.php, or (5) product parameter to… | |||
| CVE-2005-0606 | 0.03 | — | 0.02 | May 2, 2005 | Cross-site scripting (XSS) vulnerability in settings.inc.php for CubeCart 2.0.0 through 2.0.5, as used in multiple PHP files, allows remote attackers to inject arbitrary HTML or web script via the (1) cat_id, (2) PHPSESSID, (3) view_doc, (4) product, (5) session, (6) catname,… | |||
| CVE-2004-1580 | 0.03 | — | 0.02 | Dec 31, 2004 | SQL injection vulnerability in index.php in CubeCart 2.0.1 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. | |||
| CVE-2024-34832 | 0.01 | — | 0.05 | Jun 6, 2024 | Directory Traversal vulnerability in CubeCart v.6.5.5 and before allows an attacker to execute arbitrary code via a crafted file uploaded to the _g and node parameters. | |||
| CVE-2025-59413 | 0.00 | — | 0.00 | Sep 22, 2025 | CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the newsletter subscription endpoint that allows an attacker to unsubscribe any user without their consent. By changing the value of the force_unsubscribe parameter in the POST request to… | |||
| CVE-2025-59412 | 0.00 | — | 0.00 | Sep 22, 2025 | CubeCart is an ecommerce software solution. Prior to version 6.5.11, a vulnerability exists in the product reviews feature where user-supplied input is not properly sanitized before being displayed. An attacker can submit HTML tags inside the review description field. Once the… | |||
| CVE-2025-59411 | 0.00 | — | 0.00 | Sep 22, 2025 | CubeCart is an ecommerce software solution. Prior to version 6.5.11, the contact form’s Enquiry field accepts raw HTML and that HTML is included verbatim in the email sent to the store admin. By submitting HTML in the Enquiry, the admin receives an email containing that HTML.… | |||
| CVE-2025-59335 | 0.00 | — | 0.00 | Sep 22, 2025 | CubeCart is an ecommerce software solution. Prior to version 6.5.11, there is an absence of automatic session expiration following a user's password change. This oversight poses a security risk, as if a user forgets to log out from a location where they accessed their account,… | |||
| CVE-2024-33438 | 0.00 | — | 0.01 | Apr 29, 2024 | File Upload vulnerability in CubeCart before 6.5.5 allows an authenticated user to execute arbitrary code via a crafted .phar file. | |||
| CVE-2023-47675 | 0.00 | — | 0.01 | Nov 17, 2023 | CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary OS command. | |||
| CVE-2023-47283 | 0.00 | — | 0.01 | Nov 17, 2023 | Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to obtain files in the system. |
- CVE-2010-1931Jun 10, 2010risk 0.03cvss —epss 0.01
SQL injection vulnerability in includes/content/cart.inc.php in CubeCart PHP Shopping cart 4.3.4 through 4.3.9 allows remote attackers to execute arbitrary SQL commands via the shipKey parameter to index.php.
- CVE-2009-4060Nov 24, 2009risk 0.03cvss —epss 0.02
SQL injection vulnerability in includes/content/viewProd.inc.php in CubeCart before 4.3.7 remote attackers to execute arbitrary SQL commands via the productId parameter.
- CVE-2006-5107Oct 3, 2006risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in Devellion CubeCart 2.0.x allow remote attackers to execute arbitrary SQL commands via (1) the user_name parameter in admin/forgot_pass.php, (2) the order_id parameter in view_order.php, (3) the view_doc parameter in view_doc.php, and (4)…
- CVE-2006-5108Oct 3, 2006risk 0.03cvss —epss 0.06
Multiple cross-site scripting (XSS) vulnerabilities in Devellion CubeCart 2.0.x allow remote attackers to inject arbitrary web script or HTML via the order_id parameter in (1) admin/print_order.php and (2) view_order.php; the (3) site_url and (4) la_search_home parameters and…
- CVE-2006-4525Sep 1, 2006risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in CubeCart 3.0.12 and earlier, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the links array.
- CVE-2006-4267Aug 21, 2006risk 0.03cvss —epss 0.03
Multiple SQL injection vulnerabilities in CubeCart 3.0.11 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) oid parameter in modules/gateway/Protx/confirmed.php and the (2) x_invoice_num parameter in modules/gateway/Authorize/confirmed.php.
- CVE-2006-0064Jan 3, 2006risk 0.03cvss —epss 0.02
PHP remote file include vulnerability in includes/orderSuccess.inc.php in CubeCart allows remote attackers to execute arbitrary PHP code via a URL in the glob[rootDir] parameter.
- CVE-2005-3152Oct 5, 2005risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.3 allow remote attackers to inject arbitrary web script or HTML via the redir parameter to (1) cart.php or (2) index.php, or (3) the searchStr parameter in a viewCat action to index.php. Note: vectors (1) and…
- CVE-2005-0443May 2, 2005risk 0.03cvss —epss 0.05
index.php in CubeCart 2.0.4 allows remote attackers to (1) obtain the full path for the web server or (2) conduct cross-site scripting (XSS) attacks via an invalid language parameter, which echoes the parameter in a PHP error message.
- CVE-2005-1033May 2, 2005risk 0.03cvss —epss 0.03
CubeCart 2.0.6 allows remote attackers to obtain sensitive information via an invalid (1) language parameter to index.php, (2) PHPSESSID parameter to index.php, (3) product parameter to tellafriend.php, (4) add parameter to view_cart.php, or (5) product parameter to…
- CVE-2005-0606May 2, 2005risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in settings.inc.php for CubeCart 2.0.0 through 2.0.5, as used in multiple PHP files, allows remote attackers to inject arbitrary HTML or web script via the (1) cat_id, (2) PHPSESSID, (3) view_doc, (4) product, (5) session, (6) catname,…
- CVE-2004-1580Dec 31, 2004risk 0.03cvss —epss 0.02
SQL injection vulnerability in index.php in CubeCart 2.0.1 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter.
- CVE-2024-34832Jun 6, 2024risk 0.01cvss —epss 0.05
Directory Traversal vulnerability in CubeCart v.6.5.5 and before allows an attacker to execute arbitrary code via a crafted file uploaded to the _g and node parameters.
- CVE-2025-59413Sep 22, 2025risk 0.00cvss —epss 0.00
CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the newsletter subscription endpoint that allows an attacker to unsubscribe any user without their consent. By changing the value of the force_unsubscribe parameter in the POST request to…
- CVE-2025-59412Sep 22, 2025risk 0.00cvss —epss 0.00
CubeCart is an ecommerce software solution. Prior to version 6.5.11, a vulnerability exists in the product reviews feature where user-supplied input is not properly sanitized before being displayed. An attacker can submit HTML tags inside the review description field. Once the…
- CVE-2025-59411Sep 22, 2025risk 0.00cvss —epss 0.00
CubeCart is an ecommerce software solution. Prior to version 6.5.11, the contact form’s Enquiry field accepts raw HTML and that HTML is included verbatim in the email sent to the store admin. By submitting HTML in the Enquiry, the admin receives an email containing that HTML.…
- CVE-2025-59335Sep 22, 2025risk 0.00cvss —epss 0.00
CubeCart is an ecommerce software solution. Prior to version 6.5.11, there is an absence of automatic session expiration following a user's password change. This oversight poses a security risk, as if a user forgets to log out from a location where they accessed their account,…
- CVE-2024-33438Apr 29, 2024risk 0.00cvss —epss 0.01
File Upload vulnerability in CubeCart before 6.5.5 allows an authenticated user to execute arbitrary code via a crafted .phar file.
- CVE-2023-47675Nov 17, 2023risk 0.00cvss —epss 0.01
CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary OS command.
- CVE-2023-47283Nov 17, 2023risk 0.00cvss —epss 0.01
Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to obtain files in the system.
Page 2 of 3