Cubecart
by Cubecart
Source repositories
CVEs (58)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-42428 | 0.00 | — | 0.01 | Nov 17, 2023 | Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to delete directories and files in the system. | |||
| CVE-2023-38130 | 0.00 | — | 0.00 | Nov 17, 2023 | Cross-site request forgery (CSRF) vulnerability in CubeCart prior to 6.5.3 allows a remote unauthenticated attacker to delete data in the system. | |||
| CVE-2021-33394 | 0.00 | — | 0.01 | May 27, 2021 | Cubecart 6.4.2 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid,… | |||
| CVE-2018-20716 | 0.00 | — | 0.01 | Jan 15, 2019 | CubeCart before 6.1.13 has SQL Injection via the validate[] parameter of the "I forgot my Password!" feature. | |||
| CVE-2018-20703 | 0.00 | — | 0.01 | Jan 13, 2019 | CubeCart 6.2.2 has Reflected XSS via a /{ADMIN-FILE}/ query string. | |||
| CVE-2015-6928 | 0.00 | — | 0.02 | Sep 28, 2015 | classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x before 6.0.7 does not properly validate that a password reset request was made, which allows remote attackers to change the administrator password via a recovery request with a space character in the validate… | |||
| CVE-2010-4903 | 0.00 | — | 0.01 | Oct 8, 2011 | SQL injection vulnerability in index.php in CubeCart 4.3.3 allows remote attackers to execute arbitrary SQL commands via the searchStr parameter. | |||
| CVE-2011-3724 | 0.00 | — | 0.01 | Sep 23, 2011 | CubeCart 4.4.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/shipping/USPS/calc.php and certain other files. | |||
| CVE-2008-1550 | 0.00 | — | 0.01 | Mar 31, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in index.php in CubeCart 4.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the _a parameter in a searchStr action and the (2) Submit parameter. | |||
| CVE-2007-2862 | 0.00 | — | 0.01 | May 24, 2007 | Multiple SQL injection vulnerabilities in CubeCart 3.0.16 might allow remote attackers to execute arbitrary SQL commands via an unspecified parameter to cart.inc.php and certain other files in an include directory, related to missing sanitization of the $option variable and… | |||
| CVE-2007-2550 | 0.00 | — | 0.02 | May 9, 2007 | Multiple CRLF injection vulnerabilities in Devellion CubeCart 3.0.15 allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a cookie name beginning with "ccSID" to (1) cart.php or (2) index.php. | |||
| CVE-2006-5109 | 0.00 | — | 0.01 | Oct 3, 2006 | Devellion CubeCart 2.0.x allows remote attackers to obtain sensitive information via a direct request for (1) link_navi.php or (2) spotlight.php, which reveals the path in various error messages. NOTE: the information.php, language.php, list_docs.php, popular_prod.php,… | |||
| CVE-2006-4527 | 0.00 | — | 0.01 | Sep 1, 2006 | includes/content/gateway.inc.php in CubeCart 3.0.12 and earlier, when magic_quotes_gpc is disabled, uses an insufficiently restrictive regular expression to validate the gateway parameter, which allows remote attackers to conduct PHP remote file inclusion attacks. | |||
| CVE-2006-4526 | 0.00 | — | 0.01 | Sep 1, 2006 | SQL injection vulnerability in includes/content/viewCat.inc.php in CubeCart 3.0.12 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary SQL commands via the searchArray[] parameter. | |||
| CVE-2006-4268 | 0.00 | — | 0.02 | Aug 21, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.11 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) file, (2) x, and (3) y parameters in (a) admin/filemanager/preview.php; and the (4) email parameter in (b) admin/login.php. | |||
| CVE-2006-0245 | 0.00 | — | 0.01 | Jan 18, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.7-pl1 allow remote attackers to inject arbitrary web script or HTML via the (3) redir, (4) productId, (5) docId, (6) act, and (7) catId parameters in index.php; and the (8) username field in a login action in… | |||
| CVE-2005-0607 | 0.00 | — | 0.01 | May 2, 2005 | CubeCart 2.0.0 through 2.0.5 allows remote attackers to determine the full path of the server via direct calls without parameters to (1) information.php, (2) language.php, (3) list_docs.php, (4) popular_prod.php, (5) sale.php, (6) subfooter.inc.php, (7) subheader.inc.php, (8)… | |||
| CVE-2004-1579 | 0.00 | — | 0.01 | Dec 31, 2004 | index.php in CubeCart 2.0.1 allows remote attackers to gain sensitive information via an HTTP request with an invalid cat_id parameter, which reveals the full path in a PHP error message. |
- CVE-2023-42428Nov 17, 2023risk 0.00cvss —epss 0.01
Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to delete directories and files in the system.
- CVE-2023-38130Nov 17, 2023risk 0.00cvss —epss 0.00
Cross-site request forgery (CSRF) vulnerability in CubeCart prior to 6.5.3 allows a remote unauthenticated attacker to delete data in the system.
- CVE-2021-33394May 27, 2021risk 0.00cvss —epss 0.01
Cubecart 6.4.2 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid,…
- CVE-2018-20716Jan 15, 2019risk 0.00cvss —epss 0.01
CubeCart before 6.1.13 has SQL Injection via the validate[] parameter of the "I forgot my Password!" feature.
- CVE-2018-20703Jan 13, 2019risk 0.00cvss —epss 0.01
CubeCart 6.2.2 has Reflected XSS via a /{ADMIN-FILE}/ query string.
- CVE-2015-6928Sep 28, 2015risk 0.00cvss —epss 0.02
classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x before 6.0.7 does not properly validate that a password reset request was made, which allows remote attackers to change the administrator password via a recovery request with a space character in the validate…
- CVE-2010-4903Oct 8, 2011risk 0.00cvss —epss 0.01
SQL injection vulnerability in index.php in CubeCart 4.3.3 allows remote attackers to execute arbitrary SQL commands via the searchStr parameter.
- CVE-2011-3724Sep 23, 2011risk 0.00cvss —epss 0.01
CubeCart 4.4.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/shipping/USPS/calc.php and certain other files.
- CVE-2008-1550Mar 31, 2008risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in index.php in CubeCart 4.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the _a parameter in a searchStr action and the (2) Submit parameter.
- CVE-2007-2862May 24, 2007risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in CubeCart 3.0.16 might allow remote attackers to execute arbitrary SQL commands via an unspecified parameter to cart.inc.php and certain other files in an include directory, related to missing sanitization of the $option variable and…
- CVE-2007-2550May 9, 2007risk 0.00cvss —epss 0.02
Multiple CRLF injection vulnerabilities in Devellion CubeCart 3.0.15 allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a cookie name beginning with "ccSID" to (1) cart.php or (2) index.php.
- CVE-2006-5109Oct 3, 2006risk 0.00cvss —epss 0.01
Devellion CubeCart 2.0.x allows remote attackers to obtain sensitive information via a direct request for (1) link_navi.php or (2) spotlight.php, which reveals the path in various error messages. NOTE: the information.php, language.php, list_docs.php, popular_prod.php,…
- CVE-2006-4527Sep 1, 2006risk 0.00cvss —epss 0.01
includes/content/gateway.inc.php in CubeCart 3.0.12 and earlier, when magic_quotes_gpc is disabled, uses an insufficiently restrictive regular expression to validate the gateway parameter, which allows remote attackers to conduct PHP remote file inclusion attacks.
- CVE-2006-4526Sep 1, 2006risk 0.00cvss —epss 0.01
SQL injection vulnerability in includes/content/viewCat.inc.php in CubeCart 3.0.12 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary SQL commands via the searchArray[] parameter.
- CVE-2006-4268Aug 21, 2006risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.11 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) file, (2) x, and (3) y parameters in (a) admin/filemanager/preview.php; and the (4) email parameter in (b) admin/login.php.
- CVE-2006-0245Jan 18, 2006risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.7-pl1 allow remote attackers to inject arbitrary web script or HTML via the (3) redir, (4) productId, (5) docId, (6) act, and (7) catId parameters in index.php; and the (8) username field in a login action in…
- CVE-2005-0607May 2, 2005risk 0.00cvss —epss 0.01
CubeCart 2.0.0 through 2.0.5 allows remote attackers to determine the full path of the server via direct calls without parameters to (1) information.php, (2) language.php, (3) list_docs.php, (4) popular_prod.php, (5) sale.php, (6) subfooter.inc.php, (7) subheader.inc.php, (8)…
- CVE-2004-1579Dec 31, 2004risk 0.00cvss —epss 0.01
index.php in CubeCart 2.0.1 allows remote attackers to gain sensitive information via an HTTP request with an invalid cat_id parameter, which reveals the full path in a PHP error message.
Page 3 of 3