Oscommerce

Oscommerce

78 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.4

CVE-2023-43704

Exploit
  • EPSS 0.12%
  • Veröffentlicht 30.09.2023 02:15:09
  • Zuletzt bearbeitet 21.11.2024 08:24:36

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "title" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.

5.4

CVE-2023-43703

Exploit
  • EPSS 0.12%
  • Veröffentlicht 30.09.2023 02:15:09
  • Zuletzt bearbeitet 21.11.2024 08:24:36

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "product_info[][name]" parameter, potentially leading to unauthorized execution of scripts within a user'...

5.4

CVE-2023-43702

Exploit
  • EPSS 0.12%
  • Veröffentlicht 30.09.2023 02:15:09
  • Zuletzt bearbeitet 21.11.2024 08:24:36

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "tracking_number" parameter, potentially leading to unauthorized execution of scripts within a user's web...

6.1

CVE-2022-35212

  • EPSS 0.67%
  • Veröffentlicht 18.08.2022 20:15:11
  • Zuletzt bearbeitet 21.11.2024 07:10:54

osCommerce2 before v2.3.4.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the function tep_db_error().

9.8

CVE-2020-23360

Exploit
  • EPSS 0.36%
  • Veröffentlicht 27.01.2021 16:15:13
  • Zuletzt bearbeitet 21.11.2024 05:13:46

oscommerce v2.3.4.1 has a functional problem in user registration and password rechecking, where a non-identical password can bypass the checks in /catalog/admin/administrators.php and /catalog/password_reset.php

4.8

CVE-2020-29070

Exploit
  • EPSS 0.49%
  • Veröffentlicht 25.11.2020 20:15:10
  • Zuletzt bearbeitet 21.11.2024 05:23:38

osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.

10

CVE-2020-27976

Exploit
  • EPSS 20.02%
  • Veröffentlicht 28.10.2020 15:15:13
  • Zuletzt bearbeitet 21.11.2024 05:22:08

osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option.

8.8

CVE-2020-27975

Exploit
  • EPSS 0.15%
  • Veröffentlicht 28.10.2020 15:15:13
  • Zuletzt bearbeitet 21.11.2024 05:22:08

osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF.

7.2

CVE-2018-18573

  • EPSS 2.33%
  • Veröffentlicht 22.08.2019 15:15:12
  • Zuletzt bearbeitet 21.11.2024 03:56:11

osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Remote authenticated administrators can upload new '.htaccess' files (e.g., omitting .php) and subsequently achieve arbitrary PHP code execution via a /ca...

7.2

CVE-2018-18572

  • EPSS 1.98%
  • Veröffentlicht 22.08.2019 15:15:11
  • Zuletzt bearbeitet 21.11.2024 03:56:11

osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Because of this filter, script files with certain PHP-related extensions (such as .phtml and .php5) didn't execute in the application. But this filter did...