CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-2098
https://notcve.org/view.php?id=CVE-2017-2098
Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors. Vulnerabilidad de salto de directorio en CubeCart en versiones anteriores a 6.1.4 permite a los atacantes autenticados remotos leer archivos arbitrarios a través de vectores no especificados. • http://jvn.jp/en/jp/JVN81618356/index.html http://www.securityfocus.com/bid/95866 https://forums.cubecart.com/topic/52088-cubecart-614-released • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-2090
https://notcve.org/view.php?id=CVE-2017-2090
Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors. Vulnerabilidad de salto de directorio en CubeCart en versiones anteriores a 6.1.4 permite a los atacantes autenticados remotos leer archivos arbitrarios a través de vectores no especificados. • http://jvn.jp/en/jp/JVN73182875/index.html http://www.securityfocus.com/bid/96429 https://support.cybozu.com/ja-jp/article/9499 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2017-2117
https://notcve.org/view.php?id=CVE-2017-2117
Directory traversal vulnerability in CubeCart versions prior to 6.1.5 allows attacker with administrator rights to read arbitrary files via unspecified vectors. Vulnerabilidad de salto de directorio en CubeCart en versiones anteriores a 6.1.5 permite al atacante con derechos de administrador leer archivos arbitrarios a través de vectores no especificados. • http://jvn.jp/en/jp/JVN63474730/index.html http://www.securityfocus.com/bid/96466 https://forums.cubecart.com/topic/52188-cubecart-615-released • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 16%CPEs: 9EXPL: 2CVE-2014-2341 – CubeCart 5.2.8 - Session Fixation
https://notcve.org/view.php?id=CVE-2014-2341
Session fixation vulnerability in CubeCart before 5.2.9 allows remote attackers to hijack web sessions via the PHPSESSID parameter. Vulnerabilidad de fijación de sesión en CubeCart anterior a 5.2.9 permite a atacantes remotos secuestrar sesiones web a través del parámetro PHPSESSID. • https://www.exploit-db.com/exploits/32830 http://forums.cubecart.com/topic/48427-cubecart-529-relased http://secunia.com/advisories/57856 http://www.exploit-db.com/exploits/32830 http://www.osvdb.org/105784 http://www.securityfocus.com/bid/66805 http://www.securitytracker.com/id/1030086 https://exchange.xforce.ibmcloud.com/vulnerabilities/92526 • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 13%CPEs: 1EXPL: 4CVE-2013-1465 – CubeCart 5.2.0 - 'cubecart.class.php' PHP Object Injection
https://notcve.org/view.php?id=CVE-2013-1465
The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object. El método _basket en /classes / cubecart.class.php en CubeCart v5.0.0 a través de v5.2.0 permite a atacantes remotos desserializar objetos PHP a través de un parámetro envío hecho a mano, como se ha demostrado mediante la modificación de la configuración de la aplicación mediante el objeto Config. CubeCart versions 5.0.0 through 5.2.0 suffer from a PHP object injection vulnerability in cubecart.class.php. • https://www.exploit-db.com/exploits/24465 http://archives.neohapsis.com/archives/bugtraq/2013-02/0032.html http://forums.cubecart.com/?showtopic=47026 http://karmainsecurity.com/KIS-2013-02 http://osvdb.org/89923 http://packetstormsecurity.com/files/120094/CubeCart-5.2.0-PHP-Object-Injection.html http://secunia.com/advisories/52072 http://www.exploit-db.com/exploits/24465 http://www.securityfocus.com/bid/57770 https://exchange.xforce.ibmcloud.com/vulnerabilities/81920 • CWE-502: Deserialization of Untrusted Data •