CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0CVE-2009-0408
https://notcve.org/view.php?id=CVE-2009-0408
Cross-site request forgery (CSRF) vulnerability in osCommerce 2.2 RC 2a allows remote attackers to hijack the authentication of administrators. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en osCommerce versión 2.2 RC 2a, permite a los atacantes remotos secuestrar la autenticación de los administradores. • http://holisticinfosec.org/content/view/97/45 http://osvdb.org/51605 http://secunia.com/advisories/33446 https://exchange.xforce.ibmcloud.com/vulnerabilities/48289 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2008-4170
https://notcve.org/view.php?id=CVE-2008-4170
create_account.php in osCommerce 2.2 RC 2a allows remote attackers to obtain sensitive information via an invalid dob parameter, which reveals the installation path in an error message. create_account.php en osCommerce 2.2 RC 2a, permite a atacantes remotos obtener información sensible a través de un parámetro "dob" inválido, lo que muestra el directorio de instalación en un mensaje de error. • http://securityreason.com/securityalert/4293 http://www.securityfocus.com/archive/1/496417/100/0/threaded http://www.securityfocus.com/bid/31209 https://exchange.xforce.ibmcloud.com/vulnerabilities/45193 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2008-0719 – osCommerce Addon Customer Testimonials 3.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2008-0719
SQL injection vulnerability in customer_testimonials.php in the Customer Testimonials 3 and 3.1 Addon for osCommerce Online Merchant 2.2 allows remote attackers to execute arbitrary SQL commands via the testimonial_id parameter. Vulnerabilidad de inyección SQL en customer_testimonials.php de Customer Testimonials 3 y 3.1 Addon para osCommerce Online Merchant 2.2. Permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro testimonial_id. • https://www.exploit-db.com/exploits/5075 http://secunia.com/advisories/28831 http://www.securityfocus.com/bid/27664 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2006-6533
https://notcve.org/view.php?id=CVE-2006-6533
Directory traversal vulnerability in admin/templates_boxes_layout.php in osCommerce 3.0a3 allows remote attackers to include and execute arbitrary PHP files via a .. (dot dot) in the filter parameter. NOTE: this issue can be leveraged to obtain full path information in error messages. Vulnerabilidad de escalado de directorio en admin/templates_boxes_layout.php en osCommerce 3.0a3 permite a atacantes remotos incluir y ejecutar ficheros PHP de su elección mediante un .. (punto punto) a través del parámetro filter. NOTA. • http://lostmon.blogspot.com/2006/12/oscommerce-traversal-arbitrary-file.html http://securitytracker.com/id?1017353 http://www.securityfocus.com/bid/21477 http://www.vupen.com/english/advisories/2006/4895 https://exchange.xforce.ibmcloud.com/vulnerabilities/30767 •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2006-6534
https://notcve.org/view.php?id=CVE-2006-6534
Multiple cross-site scripting (XSS) vulnerabilities in osCommerce 3.0a3 allow remote attackers to inject arbitrary web script or HTML via the (1) set parameter to admin/modules.php, the (2) selected_box parameter to definitiva/admin/customers.php, the (3) lID parameter to admin/languages_definitions.php, or the (4) pID parameter to admin/products.php. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en osCommerce 3.0a3 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante el (1) parámetro set a admin/modules.php, el (2) parámetro selected_box a definitiva/admin/customers.php, el (3) parámetro lID a admin/languages_definitions.php, o el (4) parámetro pID a admin/products.php. • http://lostmon.blogspot.com/2006/12/oscommerce-traversal-arbitrary-file.html http://securitytracker.com/id?1017353 http://www.securityfocus.com/bid/21477 •