cbcvebase.

Oscommerce Online Merchant vulnerabilities

10 known vulnerabilities affecting oscommerce/online_merchant.

Total CVEs
10
CISA KEV
0
Public exploits
3
Exploited in wild
1
Severity breakdown
CRITICAL1MEDIUM8LOW1

Vulnerabilities

Page 1 of 1
CVE-2018-25114P1CRITICALCVSS 9.3ExploitedPoCv2.3.4.12025-07-23
CVE-2018-25114 [CRITICAL] CWE-94 CVE-2018-25114: A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due t A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can invoke install_4.php, submit crafted POST data, and inje
nvd
CVE-2014-10033P3MEDIUMCVSS 6.5PoC≤ 2.3.3.42015-01-13
CVE-2014-10033 [MEDIUM] CWE-89 CVE-2014-10033: SQL injection vulnerability in the update_zone function in catalog/admin/geo_zones.php in osCommerce SQL injection vulnerability in the update_zone function in catalog/admin/geo_zones.php in osCommerce Online Merchant 2.3.3.4 and earlier allows remote administrators to execute arbitrary SQL commands via the zID parameter in a list action.
nvd
CVE-2012-1059P4MEDIUMCVSS 4.3PoCv3.0.22012-02-14
CVE-2012-1059 [MEDIUM] CWE-79 CVE-2012-1059: Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Shop/Application/Cart/pages/main Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Shop/Application/Cart/pages/main.php in OSCommerce Online Merchant 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the value_title parameter, as demonstrated using the "Front" field in the shirt module.
nvd
CVE-2012-2991P4MEDIUMCVSS 5.0≤ 2.3.3v2.3.0+2 more2012-09-19
CVE-2012-2991 [MEDIUM] CVE-2012-2991: The PayPal (aka MODULE_PAYMENT_PAYPAL_STANDARD) module before 1.1 in osCommerce Online Merchant befo The PayPal (aka MODULE_PAYMENT_PAYPAL_STANDARD) module before 1.1 in osCommerce Online Merchant before 2.3.4 allows remote attackers to set the payment recipient via a modified value of the merchant's e-mail address, as demonstrated by setting the recipient to one's self.
nvd
CVE-2018-18965P4MEDIUMCVSS 4.9v2.3.4.12018-11-06
CVE-2018-18965 [MEDIUM] CVE-2018-18965: osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. The osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. The .htaccess file in catalog/images/ bans the html extension, but there are several alternative cases in which HTML can be executed, such as a file with no extension or an unrecognized extension (e.g., the test or test.asdf filename).
nvd
CVE-2018-18966P4MEDIUMCVSS 4.9v2.3.4.12018-11-06
CVE-2018-18966 [MEDIUM] CVE-2018-18966: osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. The osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. The .htaccess file in catalog/images/ bans the html extension, but Internet Explorer render HTML elements in a .eml file.
nvd
CVE-2018-18964P4MEDIUMCVSS 4.9v2.3.4.12018-11-06
CVE-2018-18964 [MEDIUM] CVE-2018-18964: osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. The osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. The .htaccess file in catalog/images/ bans the html extension, but there are several extensions in which contained HTML can be executed, such as the svg extension.
nvd
CVE-2012-2935P4MEDIUMCVSS 4.3≤ 3.0.2v2.2+2 more2012-05-27
CVE-2012-2935 [MEDIUM] CVE-2012-2935: Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Shop/Application/Checkout/pages/ Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Shop/Application/Checkout/pages/main.php in OSCommerce Online Merchant 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the value_title parameter, a different vulnerability than CVE-2012-1059.
nvd
CVE-2012-0312P4MEDIUMCVSS 4.3≤ 2.3.0v2.22012-01-26
CVE-2012-0312 [MEDIUM] CWE-79 CVE-2012-0312: Cross-site scripting (XSS) vulnerability in osCommerce 2.2MS1J before R9, and osCommerce Online Merc Cross-site scripting (XSS) vulnerability in osCommerce 2.2MS1J before R9, and osCommerce Online Merchant before 2.3.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2012-1792P4LOWCVSS 2.6≤ 3.0.2v2.2+2 more2012-05-27
CVE-2012-1792 [LOW] CWE-79 CVE-2012-1792: Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Setup/Application/Install/RPC/DB Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Setup/Application/Install/RPC/DBCheck.php in OSCommerce Online Merchant 3.0.2, when the software is being installed, allows remote attackers to inject arbitrary web script or HTML via the name parameter to oscommerce/index.php, which is not properly handled in an error message. NOTE: this
nvd
Oscommerce Online Merchant vulnerabilities | cvebase