Shoppingtree Candypress Store vulnerabilities
6 known vulnerabilities affecting shoppingtree/candypress_store.
Total CVEs
6
CISA KEV
0
Public exploits
6
Exploited in wild
0
Severity breakdown
HIGH4MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2008-0546P3HIGHCVSS 7.5PoCv4.1v4.1.1.262008-02-01
CVE-2008-0546 [HIGH] CWE-89 CVE-2008-0546: Multiple SQL injection vulnerabilities in CandyPress (CP) 4.1.1.26, and earlier 4.1.x versions, allo
Multiple SQL injection vulnerabilities in CandyPress (CP) 4.1.1.26, and earlier 4.1.x versions, allow remote attackers to execute arbitrary SQL commands via the (1) idProduct and (2) options parameters to (a) ajax/ajax_optInventory.asp, or the (2) recid parameter to (b) ajax/ajax_getBrands.asp.
nvd
CVE-2008-0737P3HIGHCVSS 7.5PoCv4.1v4.1.1.262008-02-13
CVE-2008-0737 [HIGH] CWE-89 CVE-2008-0737: SQL injection vulnerability in admin/utilities_ConfigHelp.asp in CandyPress (CP) 4.1.1.26, and other
SQL injection vulnerability in admin/utilities_ConfigHelp.asp in CandyPress (CP) 4.1.1.26, and other 4.x and 3.x versions, allows remote attackers to execute arbitrary SQL commands via the helpfield parameter.
nvd
CVE-2008-0739P3HIGHCVSS 7.5PoC≤ 4.1v4.1.1.262008-02-13
CVE-2008-0739 [HIGH] CWE-89 CVE-2008-0739: SQL injection vulnerability in admin/SA_shipFedExMeter.asp in CandyPress (CP) 4.1.1.26, and earlier
SQL injection vulnerability in admin/SA_shipFedExMeter.asp in CandyPress (CP) 4.1.1.26, and earlier 4.x and 3.x versions, allows remote attackers to execute arbitrary SQL commands via the FedExAccount parameter.
nvd
CVE-2008-0738P3HIGHCVSS 7.5PoC≤ 4.1v4.1.1.262008-02-13
CVE-2008-0738 [HIGH] CWE-89 CVE-2008-0738: Multiple SQL injection vulnerabilities in CandyPress (CP) 4.1.1.26, and earlier 4.1.x versions, allo
Multiple SQL injection vulnerabilities in CandyPress (CP) 4.1.1.26, and earlier 4.1.x versions, allow remote attackers to execute arbitrary SQL commands via the (1) idcust parameter to (a) ajax_getTiers.asp and (b) ajax_getCust.asp in ajax/, and the (2) tableName parameter to (c) ajax/ajax_tableFields.asp. NOTE: the provenance of this information is unkn
nvd
CVE-2008-0736P4MEDIUMCVSS 5.0PoCv4.1v4.1.1.262008-02-13
CVE-2008-0736 [MEDIUM] CWE-200 CVE-2008-0736: admin/SA_shipFedExMeter.asp in CandyPress (CP) 4.1.1.26, and possibly other 4.x and 3.x versions, al
admin/SA_shipFedExMeter.asp in CandyPress (CP) 4.1.1.26, and possibly other 4.x and 3.x versions, allows remote attackers to obtain the path via a certain value of the FedExAccount parameter.
nvd
CVE-2008-0547P4MEDIUMCVSS 4.3PoCv4.1v4.1.1.262008-02-01
CVE-2008-0547 [MEDIUM] CWE-79 CVE-2008-0547: Cross-site scripting (XSS) vulnerability in admin/utilities_ConfigHelp.asp in CandyPress (CP) 4.1.1.
Cross-site scripting (XSS) vulnerability in admin/utilities_ConfigHelp.asp in CandyPress (CP) 4.1.1.26, and probably earlier 4.x and 3.x versions, allows remote attackers to inject arbitrary web script or HTML via the helpfield parameter.
nvd