cbcvebase.

Opensolution Quick.Cart vulnerabilities

10 known vulnerabilities affecting opensolution/quick.cart.

Total CVEs
10
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM7

Vulnerabilities

Page 1 of 1
CVE-2020-35754P3HIGHCVSS 7.2PoCfixed in 6.72021-01-28
CVE-2020-35754 [HIGH] CWE-94 CVE-2020-35754: OpenSolution Quick.CMS < 6.7 and Quick.Cart < 6.7 allow an authenticated user to perform code inject OpenSolution Quick.CMS < 6.7 and Quick.Cart < 6.7 allow an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Language tab.
nvd
CVE-2026-23796P3CRITICALCVSS 9.8v6.72026-02-05
CVE-2026-23796 [CRITICAL] CWE-384 CVE-2026-23796: Quick.Cart allows a user's session identifier to be set before authentication. The value of this ses Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details
nvd
CVE-2025-67684P3HIGHCVSS 7.2v6.72026-01-22
CVE-2025-67684 [HIGH] CWE-22 CVE-2025-67684: Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection me Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. This allows an attacker to include and execute uploaded PHP code, resulting in Remote Code Execution on the server. The vendor w
nvd
CVE-2009-4120P4MEDIUMCVSS 6.8PoCv3.42009-12-01
CVE-2009-4120 [MEDIUM] CWE-352 CVE-2009-4120: Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.Cart 3.4 allow remote attackers Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.Cart 3.4 allow remote attackers to hijack the authentication of the administrator for requests that (1) delete orders via an orders-delete action to admin.php, and possibly (2) delete products or (3) delete pages via unspecified vectors.
nvd
CVE-2012-6430P4MEDIUMCVSS 4.3PoCv6.02014-03-24
CVE-2012-6430 [MEDIUM] CVE-2012-6430: Cross-site scripting (XSS) vulnerability in Open Solution Quick.Cms 5.0 and Quick.Cart 6.0, possibly Cross-site scripting (XSS) vulnerability in Open Solution Quick.Cms 5.0 and Quick.Cart 6.0, possibly as downloaded before December 19, 2012, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin.php. NOTE: this might be a duplicate of CVE-2008-4140.
nvd
CVE-2008-4140P4MEDIUMCVSS 4.3PoCv3.12008-09-24
CVE-2008-4140 [MEDIUM] CWE-79 CVE-2008-4140: Cross-site scripting (XSS) vulnerability in admin.php in Quick.Cart 3.1 allows remote attackers to i Cross-site scripting (XSS) vulnerability in admin.php in Quick.Cart 3.1 allows remote attackers to inject arbitrary web script or HTML via the query string.
nvd
CVE-2025-67683P4MEDIUMCVSS 6.1v6.72026-01-22
CVE-2025-67683 [MEDIUM] CWE-79 CVE-2025-67683: Quick.Cart is vulnerable to reflected XSS via the sSort parameter. An attacker can craft a malicious Quick.Cart is vulnerable to reflected XSS via the sSort parameter. An attacker can craft a malicious URL which, when opened, results in arbitrary JavaScript execution in the victim’s browser. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was
nvd
CVE-2026-23797P4MEDIUMCVSS 4.9v6.72026-02-05
CVE-2026-23797 [MEDIUM] CWE-256 CVE-2026-23797: In Quick.Cart user passwords are stored in plaintext form. An attacker with high privileges can disp In Quick.Cart user passwords are stored in plaintext form. An attacker with high privileges can display users' password in user editing page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other version
nvd
CVE-2025-10317P4MEDIUMCVSS 5.1v6.72025-10-30
CVE-2025-10317 [MEDIUM] CWE-352 CVE-2025-10317: Quick.Cart is vulnerable to Cross-Site Request Forgery in product creation functionality. Malicious Quick.Cart is vulnerable to Cross-Site Request Forgery in product creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a malicious product with content defined by the attacker. This software does not implement any protection against this type of attack.
nvd
CVE-2012-6049P4MEDIUMCVSS 5.0v5.02012-11-27
CVE-2012-6049 [MEDIUM] CWE-200 CVE-2012-6049: Open Solution Quick.Cart 5.0 allows remote attackers to obtain sensitive information via (1) a long Open Solution Quick.Cart 5.0 allows remote attackers to obtain sensitive information via (1) a long string or (2) invalid characters in a cookie, which reveals the installation path in an error message.
nvd
Opensolution Quick.Cart vulnerabilities | cvebase