CVSS: 9.8EPSS: 0%CPEs: 43EXPL: 1CVE-2009-4060 – CubeCart 3.0.4/4.3.6 - 'ProductID' SQL Injection
https://notcve.org/view.php?id=CVE-2009-4060
24 Nov 2009 — SQL injection vulnerability in includes/content/viewProd.inc.php in CubeCart before 4.3.7 remote attackers to execute arbitrary SQL commands via the productId parameter. Una vulnerabilidad de inyección SQL en includes/content/viewProd.inc.php en CubeCart antes de v4.3.7 permite ejecutar comandos SQL a atacantes remotos a través del parámetro ProductID. • https://www.exploit-db.com/exploits/33362 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 5CVE-2006-5107 – CubeCart 3.0.x - '/admin/forgot_pass.php?user_name' SQL Injection
https://notcve.org/view.php?id=CVE-2006-5107
02 Oct 2006 — Multiple SQL injection vulnerabilities in Devellion CubeCart 2.0.x allow remote attackers to execute arbitrary SQL commands via (1) the user_name parameter in admin/forgot_pass.php, (2) the order_id parameter in view_order.php, (3) the view_doc parameter in view_doc.php, and (4) the order_id parameter in admin/print_order.php. Múltiples vulnerabilidades de inyección SQL en Devellion CubeCart 2.0.x permite a un atacante remoto ejecutar comandos SQL de su elección a través del (1)parámetro user_name en admin/... • https://www.exploit-db.com/exploits/28695 •
CVSS: 6.8EPSS: 10%CPEs: 7EXPL: 7CVE-2006-5108 – CubeCart 3.0.x - '/admin/header.inc.php' Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2006-5108
02 Oct 2006 — Multiple cross-site scripting (XSS) vulnerabilities in Devellion CubeCart 2.0.x allow remote attackers to inject arbitrary web script or HTML via the order_id parameter in (1) admin/print_order.php and (2) view_order.php; the (3) site_url and (4) la_search_home parameters and (5) certain language parameters in admin/nav.php; the (6) image parameter in admin/image.php; the (7) site_name, (8) la_adm_header, (9) charset, and (10) certain other parameters in admin/header.inc.php; the (12) la_pow_by parameter in... • https://www.exploit-db.com/exploits/28703 •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 1CVE-2006-5109
https://notcve.org/view.php?id=CVE-2006-5109
02 Oct 2006 — Devellion CubeCart 2.0.x allows remote attackers to obtain sensitive information via a direct request for (1) link_navi.php or (2) spotlight.php, which reveals the path in various error messages. NOTE: the information.php, language.php, list_docs.php, popular_prod.php, sale.php, check_sum.php, and cat_navi.php vectors are already covered by CVE-2005-0607. Devellion CubeCart 2.0.x permite a atacantes remotos obtener información sensible a través de la respuesta directa para (1) link_navi.php o (2) spotlight.... • http://securityreason.com/securityalert/1662 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2006-4526
https://notcve.org/view.php?id=CVE-2006-4526
01 Sep 2006 — SQL injection vulnerability in includes/content/viewCat.inc.php in CubeCart 3.0.12 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary SQL commands via the searchArray[] parameter. Vulnerabilidad de inyección SQL en includes/content/viewCat.inc.php en CubeCart 3.0.12 y anteriores, cuando register_globales está activado, permite a atacantes remotos ejecutar comandos SQL de su elección mediante el parámetro searchArray[]. • http://cubecart.com/site/forums/index.php?showtopic=21540 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2006-4525 – CubeCart < 3.0.12 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2006-4525
01 Sep 2006 — Cross-site scripting (XSS) vulnerability in CubeCart 3.0.12 and earlier, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the links array. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en CubeCart 3.0.12 y anteriores, cuando register_globals está habilitado, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante el array links. • https://www.exploit-db.com/exploits/43840 •
CVSS: 6.1EPSS: 1%CPEs: 5EXPL: 4CVE-2005-0606 – CubeCart 2.0.x - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2005-0606
01 Mar 2005 — Cross-site scripting (XSS) vulnerability in settings.inc.php for CubeCart 2.0.0 through 2.0.5, as used in multiple PHP files, allows remote attackers to inject arbitrary HTML or web script via the (1) cat_id, (2) PHPSESSID, (3) view_doc, (4) product, (5) session, (6) catname, (7) search, or (8) page parameters. • https://www.exploit-db.com/exploits/25162 •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2005-0607
https://notcve.org/view.php?id=CVE-2005-0607
01 Mar 2005 — CubeCart 2.0.0 through 2.0.5 allows remote attackers to determine the full path of the server via direct calls without parameters to (1) information.php, (2) language.php, (3) list_docs.php, (4) popular_prod.php, (5) sale.php, (6) subfooter.inc.php, (7) subheader.inc.php, (8) cat_navi.php, or (9) check_sum.php, which reveals the path in a PHP error message. • http://lostmon.blogspot.com/2005/02/cubecart-20x-multiple-variable-xss.html •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 2CVE-2005-0442 – Brooky CubeCart 2.0.1/2.0.4 - 'index.php?language' Traversal Arbitrary File Access
https://notcve.org/view.php?id=CVE-2005-0442
15 Feb 2005 — Directory traversal vulnerability in index.php for CubeCart 2.0.4 allows remote attackers to read arbitrary files via the language parameter. • https://www.exploit-db.com/exploits/25098 •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 2CVE-2005-0443 – Brooky CubeCart 2.0.1/2.0.4 - 'index.php?language' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2005-0443
15 Feb 2005 — index.php in CubeCart 2.0.4 allows remote attackers to (1) obtain the full path for the web server or (2) conduct cross-site scripting (XSS) attacks via an invalid language parameter, which echoes the parameter in a PHP error message. • https://www.exploit-db.com/exploits/25097 •