CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-59413 – CubeCart Unauthorized Newsletter Unsubscription via force_unsubscribe Parameter
https://notcve.org/view.php?id=CVE-2025-59413
22 Sep 2025 — CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the newsletter subscription endpoint that allows an attacker to unsubscribe any user without their consent. By changing the value of the force_unsubscribe parameter in the POST request to 1, an attacker can force the removal of any valid subscriber’s email address. This issue has been patched in version 6.5.11. • https://github.com/cubecart/v6/commit/7fd1cd04f5d5c3ce1d7980327464f0ff6551de79 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-59412 – CubeCart Vulnerable to HTML Injection in Product Reviews Allows Malicious Links and Defacement
https://notcve.org/view.php?id=CVE-2025-59412
22 Sep 2025 — CubeCart is an ecommerce software solution. Prior to version 6.5.11, a vulnerability exists in the product reviews feature where user-supplied input is not properly sanitized before being displayed. An attacker can submit HTML tags inside the review description field. Once the administrator approves the review, the injected HTML is rendered on the product page for all visitors. This could be used to redirect users to malicious websites or to display unwanted content. • https://github.com/cubecart/v6/commit/1a0c0d8f6c9c141575eb5be07d04e7d49820005b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2025-59411 – CubeCart Stored/Reflected HTML Injection Vulnerability in Contact Enquiry
https://notcve.org/view.php?id=CVE-2025-59411
22 Sep 2025 — CubeCart is an ecommerce software solution. Prior to version 6.5.11, the contact form’s Enquiry field accepts raw HTML and that HTML is included verbatim in the email sent to the store admin. By submitting HTML in the Enquiry, the admin receives an email containing that HTML. This indicates user input is not being escaped or sanitized before being output in email (and possibly when re-rendering the form), leading to Cross-Site Scripting / HTML injection risk in email clients or admin UI. This issue has been... • https://github.com/cubecart/v6/commit/299065bd4a8836782ce92f70988c730f130756db • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-59335 – CubeCart Session Not Invalidated After Password Change
https://notcve.org/view.php?id=CVE-2025-59335
22 Sep 2025 — CubeCart is an ecommerce software solution. Prior to version 6.5.11, there is an absence of automatic session expiration following a user's password change. This oversight poses a security risk, as if a user forgets to log out from a location where they accessed their account, an unauthorized user can maintain access even after the password has been changed. Due to this bug, if an account has already been compromised, the legitimate user has no way to revoke the attacker’s access. The malicious actor retain... • https://github.com/cubecart/v6/commit/4bfaeb4485dd82255a108940a163af5ba4583b52 • CWE-613: Insufficient Session Expiration •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47675
https://notcve.org/view.php?id=CVE-2023-47675
17 Nov 2023 — CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary OS command. CubeCart anterior a 6.5.3 permite a un atacante remoto autenticado con privilegios administrativos ejecutar un comando arbitrario del sistema operativo. • https://forums.cubecart.com/topic/58736-cubecart-653-released-security-update • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47283
https://notcve.org/view.php?id=CVE-2023-47283
17 Nov 2023 — Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to obtain files in the system. Vulnerabilidad de Directory Traversal en CubeCart anterior a 6.5.3 permite a un atacante remoto autenticado con privilegios administrativos obtener archivos en el sistema. • https://forums.cubecart.com/topic/58736-cubecart-653-released-security-update • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.7EPSS: 2%CPEs: 1EXPL: 0CVE-2023-42428
https://notcve.org/view.php?id=CVE-2023-42428
17 Nov 2023 — Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to delete directories and files in the system. Vulnerabilidad de Directory Traversal en CubeCart anterior a 6.5.3 permite a un atacante remoto autenticado con privilegios administrativos eliminar directorios y archivos en el sistema. • https://forums.cubecart.com/topic/58736-cubecart-653-released-security-update • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.4EPSS: 1%CPEs: 1EXPL: 0CVE-2023-38130
https://notcve.org/view.php?id=CVE-2023-38130
17 Nov 2023 — Cross-site request forgery (CSRF) vulnerability in CubeCart prior to 6.5.3 allows a remote unauthenticated attacker to delete data in the system. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en CubeCart anterior a 6.5.3 permite que un atacante remoto no autenticado elimine datos en el sistema. • https://forums.cubecart.com/topic/58736-cubecart-653-released-security-update • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20716
https://notcve.org/view.php?id=CVE-2018-20716
15 Jan 2019 — CubeCart before 6.1.13 has SQL Injection via the validate[] parameter of the "I forgot my Password!" feature. CubeCart, en versiones anteriores a la 6.1.13, tiene una inyección SQL mediante el parámetro validate[] de la característica "I forgot my Password!". • https://blog.ripstech.com/2018/cubecart-admin-authentication-bypass • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 3%CPEs: 1EXPL: 0CVE-2017-2090
https://notcve.org/view.php?id=CVE-2017-2090
28 Apr 2017 — Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors. Vulnerabilidad de salto de directorio en CubeCart en versiones anteriores a 6.1.4 permite a los atacantes autenticados remotos leer archivos arbitrarios a través de vectores no especificados. • http://jvn.jp/en/jp/JVN73182875/index.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •