VYPR

Online Merchant

by OsCommerce

CVEs (8)

  • CVE-2018-25114CriJul 23, 2025
    risk 0.70cvss epss 0.03

    A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An…

  • CVE-2024-4348MedApr 30, 2024
    risk 0.29cvss 4.3epss 0.02

    A vulnerability, which was classified as problematic, was found in osCommerce 4. Affected is an unknown function of the file /catalog/all-products. The manipulation of the argument cat leads to cross site scripting. It is possible to launch the attack remotely. The exploit has…

  • CVE-2014-10033Jan 13, 2015
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the update_zone function in catalog/admin/geo_zones.php in osCommerce Online Merchant 2.3.3.4 and earlier allows remote administrators to execute arbitrary SQL commands via the zID parameter in a list action.

  • CVE-2012-2991Sep 19, 2012
    risk 0.00cvss epss 0.01

    The PayPal (aka MODULE_PAYMENT_PAYPAL_STANDARD) module before 1.1 in osCommerce Online Merchant before 2.3.4 allows remote attackers to set the payment recipient via a modified value of the merchant's e-mail address, as demonstrated by setting the recipient to one's self.

  • CVE-2012-2935May 27, 2012
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Shop/Application/Checkout/pages/main.php in OSCommerce Online Merchant 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the value_title parameter, a different vulnerability than…

  • CVE-2012-1792May 27, 2012
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Setup/Application/Install/RPC/DBCheck.php in OSCommerce Online Merchant 3.0.2, when the software is being installed, allows remote attackers to inject arbitrary web script or HTML via the name parameter to…

  • CVE-2012-1059Feb 14, 2012
    risk 0.00cvss epss 0.04

    Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Shop/Application/Cart/pages/main.php in OSCommerce Online Merchant 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the value_title parameter, as demonstrated using the "Front" field in…

  • CVE-2012-0312Jan 26, 2012
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in osCommerce 2.2MS1J before R9, and osCommerce Online Merchant before 2.3.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.