VYPR

Cubecart

by Cubecart

Source repositories

CVEs (58)

  • CVE-2023-42428Nov 17, 2023
    risk 0.00cvss epss 0.01

    Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to delete directories and files in the system.

  • CVE-2023-38130Nov 17, 2023
    risk 0.00cvss epss 0.00

    Cross-site request forgery (CSRF) vulnerability in CubeCart prior to 6.5.3 allows a remote unauthenticated attacker to delete data in the system.

  • CVE-2021-33394May 27, 2021
    risk 0.00cvss epss 0.01

    Cubecart 6.4.2 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid,…

  • CVE-2018-20716Jan 15, 2019
    risk 0.00cvss epss 0.01

    CubeCart before 6.1.13 has SQL Injection via the validate[] parameter of the "I forgot my Password!" feature.

  • CVE-2018-20703Jan 13, 2019
    risk 0.00cvss epss 0.01

    CubeCart 6.2.2 has Reflected XSS via a /{ADMIN-FILE}/ query string.

  • CVE-2015-6928Sep 28, 2015
    risk 0.00cvss epss 0.02

    classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x before 6.0.7 does not properly validate that a password reset request was made, which allows remote attackers to change the administrator password via a recovery request with a space character in the validate…

  • CVE-2010-4903Oct 8, 2011
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in index.php in CubeCart 4.3.3 allows remote attackers to execute arbitrary SQL commands via the searchStr parameter.

  • CVE-2011-3724Sep 23, 2011
    risk 0.00cvss epss 0.01

    CubeCart 4.4.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/shipping/USPS/calc.php and certain other files.

  • CVE-2008-1550Mar 31, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in index.php in CubeCart 4.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the _a parameter in a searchStr action and the (2) Submit parameter.

  • CVE-2007-2862May 24, 2007
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in CubeCart 3.0.16 might allow remote attackers to execute arbitrary SQL commands via an unspecified parameter to cart.inc.php and certain other files in an include directory, related to missing sanitization of the $option variable and…

  • CVE-2007-2550May 9, 2007
    risk 0.00cvss epss 0.02

    Multiple CRLF injection vulnerabilities in Devellion CubeCart 3.0.15 allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a cookie name beginning with "ccSID" to (1) cart.php or (2) index.php.

  • CVE-2006-5109Oct 3, 2006
    risk 0.00cvss epss 0.01

    Devellion CubeCart 2.0.x allows remote attackers to obtain sensitive information via a direct request for (1) link_navi.php or (2) spotlight.php, which reveals the path in various error messages. NOTE: the information.php, language.php, list_docs.php, popular_prod.php,…

  • CVE-2006-4527Sep 1, 2006
    risk 0.00cvss epss 0.01

    includes/content/gateway.inc.php in CubeCart 3.0.12 and earlier, when magic_quotes_gpc is disabled, uses an insufficiently restrictive regular expression to validate the gateway parameter, which allows remote attackers to conduct PHP remote file inclusion attacks.

  • CVE-2006-4526Sep 1, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in includes/content/viewCat.inc.php in CubeCart 3.0.12 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary SQL commands via the searchArray[] parameter.

  • CVE-2006-4268Aug 21, 2006
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.11 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) file, (2) x, and (3) y parameters in (a) admin/filemanager/preview.php; and the (4) email parameter in (b) admin/login.php.

  • CVE-2006-0245Jan 18, 2006
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.7-pl1 allow remote attackers to inject arbitrary web script or HTML via the (3) redir, (4) productId, (5) docId, (6) act, and (7) catId parameters in index.php; and the (8) username field in a login action in…

  • CVE-2005-0607May 2, 2005
    risk 0.00cvss epss 0.01

    CubeCart 2.0.0 through 2.0.5 allows remote attackers to determine the full path of the server via direct calls without parameters to (1) information.php, (2) language.php, (3) list_docs.php, (4) popular_prod.php, (5) sale.php, (6) subfooter.inc.php, (7) subheader.inc.php, (8)…

  • CVE-2004-1579Dec 31, 2004
    risk 0.00cvss epss 0.01

    index.php in CubeCart 2.0.1 allows remote attackers to gain sensitive information via an HTTP request with an invalid cat_id parameter, which reveals the full path in a PHP error message.

Page 3 of 3