Oscommerce

Oscommerce

78 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.4

CVE-2023-43704

Exploit
  • EPSS 0.12%
  • Published 30.09.2023 02:15:09
  • Last modified 21.11.2024 08:24:36

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "title" parameter, potentially leading to unauthorized execution of scripts within a user's web browser.

5.4

CVE-2023-43703

Exploit
  • EPSS 0.12%
  • Published 30.09.2023 02:15:09
  • Last modified 21.11.2024 08:24:36

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "product_info[][name]" parameter, potentially leading to unauthorized execution of scripts within a user'...

5.4

CVE-2023-43702

Exploit
  • EPSS 0.12%
  • Published 30.09.2023 02:15:09
  • Last modified 21.11.2024 08:24:36

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "tracking_number" parameter, potentially leading to unauthorized execution of scripts within a user's web...

6.1

CVE-2022-35212

  • EPSS 0.67%
  • Published 18.08.2022 20:15:11
  • Last modified 21.11.2024 07:10:54

osCommerce2 before v2.3.4.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the function tep_db_error().

9.8

CVE-2020-23360

Exploit
  • EPSS 0.36%
  • Published 27.01.2021 16:15:13
  • Last modified 21.11.2024 05:13:46

oscommerce v2.3.4.1 has a functional problem in user registration and password rechecking, where a non-identical password can bypass the checks in /catalog/admin/administrators.php and /catalog/password_reset.php

4.8

CVE-2020-29070

Exploit
  • EPSS 0.49%
  • Published 25.11.2020 20:15:10
  • Last modified 21.11.2024 05:23:38

osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.

10

CVE-2020-27976

Exploit
  • EPSS 20.02%
  • Published 28.10.2020 15:15:13
  • Last modified 21.11.2024 05:22:08

osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option.

8.8

CVE-2020-27975

Exploit
  • EPSS 0.15%
  • Published 28.10.2020 15:15:13
  • Last modified 21.11.2024 05:22:08

osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF.

7.2

CVE-2018-18573

  • EPSS 2.33%
  • Published 22.08.2019 15:15:12
  • Last modified 21.11.2024 03:56:11

osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Remote authenticated administrators can upload new '.htaccess' files (e.g., omitting .php) and subsequently achieve arbitrary PHP code execution via a /ca...

7.2

CVE-2018-18572

  • EPSS 1.98%
  • Published 22.08.2019 15:15:11
  • Last modified 21.11.2024 03:56:11

osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Because of this filter, script files with certain PHP-related extensions (such as .phtml and .php5) didn't execute in the application. But this filter did...