Vendor CVEs
E Cart
All CVEs
31 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2006-2827 | Cri | 0.64 | 9.8 | 0.01 | Jun 5, 2006 | SQL injection vulnerability in search.php in X-Cart Gold and Pro 4.0.18, and X-Cart 4.1.0 beta 1, allows remote attackers to execute arbitrary SQL commands via the "Search for pattern" field, when the settings specify only "Search in Detailed description" and "Search also in… | ||
| CVE-2021-47909 | Hig | 0.53 | 8.1 | 0.00 | Feb 1, 2026 | Mult-E-Cart Ultimate 2.4 contains multiple SQL injection vulnerabilities in inventory, customer, vendor, and order modules. Remote attackers with privileged vendor or admin roles can exploit the 'id' parameter to execute malicious SQL commands and compromise the database… | ||
| CVE-2017-15673 | Hig | 0.47 | 7.2 | 0.02 | Nov 28, 2017 | The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP code via vectors involving a custom page. | ||
| CVE-2021-32202 | Med | 0.40 | 6.1 | 0.01 | Sep 14, 2021 | In CS-Cart version 4.11.1, it is possible to induce copy-paste XSS by manipulating the "post description" filed in the blog post creation page. | ||
| CVE-2020-9009 | Low | 0.24 | 3.7 | 0.01 | Apr 11, 2023 | The ShipStation.com plugin 1.1 and earlier for CS-Cart allows remote attackers to insert arbitrary information into the database (via action=shipnotify) because access to this endpoint is completely unchecked. The attacker must guess an order number. | ||
| CVE-2007-0134 | 0.04 | — | 0.11 | Jan 9, 2007 | Multiple eval injection vulnerabilities in iGeneric iG Shop 1.0 allow remote attackers to execute arbitrary code via the action parameter, which is supplied to an eval function call in (1) cart.php and (2) page.php. NOTE: a later report and CVE analysis indicate that the… | |||
| CVE-2006-2863 | 0.04 | — | 0.09 | Jun 6, 2006 | PHP remote file inclusion vulnerability in class.cs_phpmailer.php in CS-Cart 1.3.3 allows remote attackers to execute arbitrary PHP code via a URL in the classes_dir parameter. | |||
| CVE-2015-2701 | 0.03 | — | 0.03 | Mar 25, 2015 | Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of users for requests that change a user password via a request to profiles-update/. | |||
| CVE-2009-2579 | 0.03 | — | 0.01 | Aug 5, 2009 | SQL injection vulnerability in reward_points.post.php in the Reward points addon in CS-Cart before 2.0.6 allows remote authenticated users to execute arbitrary SQL commands via the sort_order parameter in a reward_points.userlog action to index.php, a different vulnerability… | |||
| CVE-2009-1447 | 0.03 | — | 0.04 | Apr 27, 2009 | Unrestricted file upload vulnerability in admin/editor/image.php in e-cart.biz Free Shopping Cart allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images/. | |||
| CVE-2009-0832 | 0.03 | — | 0.01 | Mar 5, 2009 | SQL injection vulnerability in items.php in the E-Cart module 1.3 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the CA parameter. | |||
| CVE-2008-6394 | 0.03 | — | 0.01 | Mar 4, 2009 | SQL injection vulnerability in core/user.php in CS-Cart 1.3.5 and earlier allows remote attackers to execute arbitrary SQL commands via the cs_cookies[customer_user_id] cookie parameter. | |||
| CVE-2008-1458 | 0.03 | — | 0.02 | Mar 24, 2008 | Cross-site scripting (XSS) vulnerability in index.php in CS-Cart 1.3.2 allows remote attackers to inject arbitrary web script or HTML via the q parameter in a products search action. NOTE: it was also reported that 1.3.5-SP2 trial edition is also affected. | |||
| CVE-2007-2717 | 0.03 | — | 0.01 | May 16, 2007 | SQL injection vulnerability in shop/page.php in iGeneric (iG) Shop 1.4 allows remote attackers to execute arbitrary SQL commands via the type_id[] parameter, a different vector than CVE-2005-0537. | |||
| CVE-2007-0132 | 0.03 | — | 0.02 | Jan 9, 2007 | SQL injection vulnerability in compare_product.php in iGeneric iG Shop 1.4 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2007-0133 | 0.03 | — | 0.01 | Jan 9, 2007 | Multiple SQL injection vulnerabilities in display_review.php in iGeneric iG Shop 1.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id or (2) user_login_cookie parameter. | |||
| CVE-2007-0130 | 0.03 | — | 0.01 | Jan 9, 2007 | SQL injection vulnerability in user.php in iGeneric iG Calendar 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2005-4429 | 0.03 | — | 0.01 | Dec 21, 2005 | SQL injection vulnerability in CS-Cart 1.3.0 allows remote attackers to execute arbitrary SQL commands via the (1) sort_by and (2) sort_order parameters to index.php. | |||
| CVE-2005-4290 | 0.03 | — | 0.02 | Dec 16, 2005 | Cross-site scripting (XSS) vulnerability in index.cgi in ECW-Cart 2.03 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) kword, (2) max, (3) min, (4) comp, and (5) f parameters. | |||
| CVE-2005-1289 | 0.03 | — | 0.04 | May 2, 2005 | index.cgi in E-Cart 2004 1.1 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) art and possibly (2) cat parameters. | |||
| CVE-2004-0241 | 0.03 | — | 0.06 | Nov 23, 2004 | X-Cart 3.4.3 allows remote attackers to execute arbitrary commands via the perl_binary argument in (1) upgrade.php or (2) general.php. | |||
| CVE-2015-5455 | 0.00 | — | 0.01 | Jul 8, 2015 | Cross-site scripting (XSS) vulnerability in X-Cart 4.5.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors to install/. | |||
| CVE-2015-0951 | 0.00 | — | 0.01 | Apr 5, 2015 | X-Cart before 5.1.11 allows remote authenticated users to read or delete address data of arbitrary accounts via a modified (1) update or (2) remove request. | |||
| CVE-2015-0950 | 0.00 | — | 0.01 | Apr 5, 2015 | Cross-site scripting (XSS) vulnerability in admin.php in X-Cart 5.1.6 through 5.1.10 allows remote attackers to inject arbitrary web script or HTML via the substring parameter. | |||
| CVE-2015-1178 | 0.00 | — | 0.02 | Jan 26, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in cart.php in X-Cart 5.1.8 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) product_id or (2) category_id parameter. | |||
| CVE-2013-7317 | 0.00 | — | 0.01 | Jan 24, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) settings_file or (2) data_file parameter to (a) ampie.swf, (b) amline.swf, or (c) amcolumn.swf. | |||
| CVE-2013-0118 | 0.00 | — | 0.02 | Feb 24, 2013 | CS-Cart before 3.0.6, when PayPal Standard Payments is configured, allows remote attackers to set the payment recipient via a modified value of the merchant's e-mail address, as demonstrated by setting the recipient to one's self. | |||
| CVE-2009-4891 | 0.00 | — | 0.01 | Jun 11, 2010 | SQL injection vulnerability in index.php in CS-Cart 2.0.0 Beta 3 allows remote attackers to execute arbitrary SQL commands via the product_id parameter in a products.view action. | |||
| CVE-2007-0230 | 0.00 | — | 0.01 | Jan 13, 2007 | PHP remote file inclusion vulnerability in install.php in CS-Cart 1.3.3 allows remote attackers to execute arbitrary PHP code via a URL in the install_dir parameter. NOTE: CVE and third parties dispute this vulnerability because install_dir is defined before use | |||
| CVE-2005-0537 | 0.00 | — | 0.01 | Feb 21, 2005 | Multiple SQL injection vulnerabilities in page.php for iGeneric (iG) Shop 1.2 may allow remote attackers to execute arbitrary SQL statements via the (1) cats, (2) l_price, or (3) u_price parameters. | |||
| CVE-2004-0240 | 0.00 | — | 0.01 | Nov 23, 2004 | Directory traversal vulnerability in X-Cart 3.4.3 allows remote attackers to view arbitrary files via a .. (dot dot) in the shop_closed_file argument to auth.php. |
- risk 0.64cvss 9.8epss 0.01
SQL injection vulnerability in search.php in X-Cart Gold and Pro 4.0.18, and X-Cart 4.1.0 beta 1, allows remote attackers to execute arbitrary SQL commands via the "Search for pattern" field, when the settings specify only "Search in Detailed description" and "Search also in…
- risk 0.53cvss 8.1epss 0.00
Mult-E-Cart Ultimate 2.4 contains multiple SQL injection vulnerabilities in inventory, customer, vendor, and order modules. Remote attackers with privileged vendor or admin roles can exploit the 'id' parameter to execute malicious SQL commands and compromise the database…
- risk 0.47cvss 7.2epss 0.02
The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP code via vectors involving a custom page.
- risk 0.40cvss 6.1epss 0.01
In CS-Cart version 4.11.1, it is possible to induce copy-paste XSS by manipulating the "post description" filed in the blog post creation page.
- risk 0.24cvss 3.7epss 0.01
The ShipStation.com plugin 1.1 and earlier for CS-Cart allows remote attackers to insert arbitrary information into the database (via action=shipnotify) because access to this endpoint is completely unchecked. The attacker must guess an order number.
- CVE-2007-0134Jan 9, 2007risk 0.04cvss —epss 0.11
Multiple eval injection vulnerabilities in iGeneric iG Shop 1.0 allow remote attackers to execute arbitrary code via the action parameter, which is supplied to an eval function call in (1) cart.php and (2) page.php. NOTE: a later report and CVE analysis indicate that the…
- CVE-2006-2863Jun 6, 2006risk 0.04cvss —epss 0.09
PHP remote file inclusion vulnerability in class.cs_phpmailer.php in CS-Cart 1.3.3 allows remote attackers to execute arbitrary PHP code via a URL in the classes_dir parameter.
- CVE-2015-2701Mar 25, 2015risk 0.03cvss —epss 0.03
Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of users for requests that change a user password via a request to profiles-update/.
- CVE-2009-2579Aug 5, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in reward_points.post.php in the Reward points addon in CS-Cart before 2.0.6 allows remote authenticated users to execute arbitrary SQL commands via the sort_order parameter in a reward_points.userlog action to index.php, a different vulnerability…
- CVE-2009-1447Apr 27, 2009risk 0.03cvss —epss 0.04
Unrestricted file upload vulnerability in admin/editor/image.php in e-cart.biz Free Shopping Cart allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images/.
- CVE-2009-0832Mar 5, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in items.php in the E-Cart module 1.3 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the CA parameter.
- CVE-2008-6394Mar 4, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in core/user.php in CS-Cart 1.3.5 and earlier allows remote attackers to execute arbitrary SQL commands via the cs_cookies[customer_user_id] cookie parameter.
- CVE-2008-1458Mar 24, 2008risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in index.php in CS-Cart 1.3.2 allows remote attackers to inject arbitrary web script or HTML via the q parameter in a products search action. NOTE: it was also reported that 1.3.5-SP2 trial edition is also affected.
- CVE-2007-2717May 16, 2007risk 0.03cvss —epss 0.01
SQL injection vulnerability in shop/page.php in iGeneric (iG) Shop 1.4 allows remote attackers to execute arbitrary SQL commands via the type_id[] parameter, a different vector than CVE-2005-0537.
- CVE-2007-0132Jan 9, 2007risk 0.03cvss —epss 0.02
SQL injection vulnerability in compare_product.php in iGeneric iG Shop 1.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2007-0133Jan 9, 2007risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in display_review.php in iGeneric iG Shop 1.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id or (2) user_login_cookie parameter.
- CVE-2007-0130Jan 9, 2007risk 0.03cvss —epss 0.01
SQL injection vulnerability in user.php in iGeneric iG Calendar 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2005-4429Dec 21, 2005risk 0.03cvss —epss 0.01
SQL injection vulnerability in CS-Cart 1.3.0 allows remote attackers to execute arbitrary SQL commands via the (1) sort_by and (2) sort_order parameters to index.php.
- CVE-2005-4290Dec 16, 2005risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in index.cgi in ECW-Cart 2.03 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) kword, (2) max, (3) min, (4) comp, and (5) f parameters.
- CVE-2005-1289May 2, 2005risk 0.03cvss —epss 0.04
index.cgi in E-Cart 2004 1.1 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) art and possibly (2) cat parameters.
- CVE-2004-0241Nov 23, 2004risk 0.03cvss —epss 0.06
X-Cart 3.4.3 allows remote attackers to execute arbitrary commands via the perl_binary argument in (1) upgrade.php or (2) general.php.
- CVE-2015-5455Jul 8, 2015risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in X-Cart 4.5.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors to install/.
- CVE-2015-0951Apr 5, 2015risk 0.00cvss —epss 0.01
X-Cart before 5.1.11 allows remote authenticated users to read or delete address data of arbitrary accounts via a modified (1) update or (2) remove request.
- CVE-2015-0950Apr 5, 2015risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in admin.php in X-Cart 5.1.6 through 5.1.10 allows remote attackers to inject arbitrary web script or HTML via the substring parameter.
- CVE-2015-1178Jan 26, 2015risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in cart.php in X-Cart 5.1.8 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) product_id or (2) category_id parameter.
- CVE-2013-7317Jan 24, 2014risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) settings_file or (2) data_file parameter to (a) ampie.swf, (b) amline.swf, or (c) amcolumn.swf.
- CVE-2013-0118Feb 24, 2013risk 0.00cvss —epss 0.02
CS-Cart before 3.0.6, when PayPal Standard Payments is configured, allows remote attackers to set the payment recipient via a modified value of the merchant's e-mail address, as demonstrated by setting the recipient to one's self.
- CVE-2009-4891Jun 11, 2010risk 0.00cvss —epss 0.01
SQL injection vulnerability in index.php in CS-Cart 2.0.0 Beta 3 allows remote attackers to execute arbitrary SQL commands via the product_id parameter in a products.view action.
- CVE-2007-0230Jan 13, 2007risk 0.00cvss —epss 0.01
PHP remote file inclusion vulnerability in install.php in CS-Cart 1.3.3 allows remote attackers to execute arbitrary PHP code via a URL in the install_dir parameter. NOTE: CVE and third parties dispute this vulnerability because install_dir is defined before use
- CVE-2005-0537Feb 21, 2005risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in page.php for iGeneric (iG) Shop 1.2 may allow remote attackers to execute arbitrary SQL statements via the (1) cats, (2) l_price, or (3) u_price parameters.
- CVE-2004-0240Nov 23, 2004risk 0.00cvss —epss 0.01
Directory traversal vulnerability in X-Cart 3.4.3 allows remote attackers to view arbitrary files via a .. (dot dot) in the shop_closed_file argument to auth.php.