CandyPress

CVEs (6)

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2008-0736	Shoppingtree CandyPress	0.03	—	0.03	Feb 13, 2008	admin/SA_shipFedExMeter.asp in CandyPress (CP) 4.1.1.26, and possibly other 4.x and 3.x versions, allows remote attackers to obtain the path via a certain value of the FedExAccount parameter.
CVE-2008-0738	Shoppingtree CandyPress	0.03	—	0.01	Feb 13, 2008	Multiple SQL injection vulnerabilities in CandyPress (CP) 4.1.1.26, and earlier 4.1.x versions, allow remote attackers to execute arbitrary SQL commands via the (1) idcust parameter to (a) ajax_getTiers.asp and (b) ajax_getCust.asp in ajax/, and the (2) tableName parameter to…
CVE-2008-0739	Shoppingtree CandyPress	0.03	—	0.01	Feb 13, 2008	SQL injection vulnerability in admin/SA_shipFedExMeter.asp in CandyPress (CP) 4.1.1.26, and earlier 4.x and 3.x versions, allows remote attackers to execute arbitrary SQL commands via the FedExAccount parameter.
CVE-2008-0546	Shoppingtree CandyPress	0.03	—	0.03	Feb 1, 2008	Multiple SQL injection vulnerabilities in CandyPress (CP) 4.1.1.26, and earlier 4.1.x versions, allow remote attackers to execute arbitrary SQL commands via the (1) idProduct and (2) options parameters to (a) ajax/ajax_optInventory.asp, or the (2) recid parameter to (b)…
CVE-2008-0547	Shoppingtree CandyPress	0.03	—	0.04	Feb 1, 2008	Cross-site scripting (XSS) vulnerability in admin/utilities_ConfigHelp.asp in CandyPress (CP) 4.1.1.26, and probably earlier 4.x and 3.x versions, allows remote attackers to inject arbitrary web script or HTML via the helpfield parameter.
CVE-2007-5629	Shoppingtree Store	0.00	—	0.01	Oct 23, 2007	Cross-site scripting (XSS) vulnerability in admin/logon.asp in ShoppingTree CandyPress Store 4.1 allows remote attackers to inject arbitrary web script or HTML via the msg parameter, a different vector than CVE-2007-2804. NOTE: the provenance of this information is unknown; the…

CVE-2008-0736Feb 13, 2008
Shoppingtree
CandyPress
risk 0.03cvss —epss 0.03
admin/SA_shipFedExMeter.asp in CandyPress (CP) 4.1.1.26, and possibly other 4.x and 3.x versions, allows remote attackers to obtain the path via a certain value of the FedExAccount parameter.
CVE-2008-0738Feb 13, 2008
Shoppingtree
CandyPress
risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in CandyPress (CP) 4.1.1.26, and earlier 4.1.x versions, allow remote attackers to execute arbitrary SQL commands via the (1) idcust parameter to (a) ajax_getTiers.asp and (b) ajax_getCust.asp in ajax/, and the (2) tableName parameter to…
CVE-2008-0739Feb 13, 2008
Shoppingtree
CandyPress
risk 0.03cvss —epss 0.01
SQL injection vulnerability in admin/SA_shipFedExMeter.asp in CandyPress (CP) 4.1.1.26, and earlier 4.x and 3.x versions, allows remote attackers to execute arbitrary SQL commands via the FedExAccount parameter.
CVE-2008-0546Feb 1, 2008
Shoppingtree
CandyPress
risk 0.03cvss —epss 0.03
Multiple SQL injection vulnerabilities in CandyPress (CP) 4.1.1.26, and earlier 4.1.x versions, allow remote attackers to execute arbitrary SQL commands via the (1) idProduct and (2) options parameters to (a) ajax/ajax_optInventory.asp, or the (2) recid parameter to (b)…
CVE-2008-0547Feb 1, 2008
Shoppingtree
CandyPress
risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in admin/utilities_ConfigHelp.asp in CandyPress (CP) 4.1.1.26, and probably earlier 4.x and 3.x versions, allows remote attackers to inject arbitrary web script or HTML via the helpfield parameter.
CVE-2007-5629Oct 23, 2007
Shoppingtree
Store
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in admin/logon.asp in ShoppingTree CandyPress Store 4.1 allows remote attackers to inject arbitrary web script or HTML via the msg parameter, a different vector than CVE-2007-2804. NOTE: the provenance of this information is unknown; the…