CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2016-10509
https://notcve.org/view.php?id=CVE-2016-10509
31 Aug 2017 — SQL injection vulnerability in the updateAmazonOrderTracking function in upload/admin/model/openbay/amazon.php in OpenCart before version 2.3.0.0 allows remote authenticated administrators to execute arbitrary SQL commands via a carrier (aka courier_id) parameter to openbay.php. Una vulnerabilidad de inyección SQL en la función updateAmazonOrderTracking en upload/admin/model/openbay/amazon.php en OpenCart en versiones anteriores a la 2.3.0.0 permite que los administradores autenticados remotos ejecuten coma... • https://github.com/opencart/opencart/commit/b95044da6ac608e7239f7949ff21d3b65be68f82 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2015-4671 – OpenCart 2.1.0.1 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2015-4671
07 Jan 2016 — Cross-site scripting (XSS) vulnerability in OpenCart before 2.1.0.2 allows remote attackers to inject arbitrary web script or HTML via the zone_id parameter to index.php. Vulnerabilidad de XSS en OpenCart en versiones anteriores a 2.1.0.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de el parámetro zone_id para index.php. OpenCart version 2.1.0.1 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/135163 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 11%CPEs: 1EXPL: 5CVE-2014-3990 – OpenCart 1.5.6.4 PHP Object Injection
https://notcve.org/view.php?id=CVE-2014-3990
14 Jul 2014 — The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitrary code via a crafted serialized PHP object, related to the quantity parameter in an update request. El método Cart::getProducts en system/library/cart.php en OpenCart, en versiones 1.5.6.4 y anteriores, permite que atacantes remotos lleven a cabo ataques de SSRF (Server-S... • https://packetstorm.news/files/id/127460 • CWE-611: Improper Restriction of XML External Entity Reference CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 1CVE-2011-3763
https://notcve.org/view.php?id=CVE-2011-3763
24 Sep 2011 — OpenCart 1.4.9.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by system/startup.php and certain other files. OpenCart v1.4.9.3 permite a atacantes remotos obtener información sensible a través de una petición directa a un archivo .php, lo que revela la ruta de instalación en un mensaje de error, como se demostró con system/startup.php y algunos otros archivos. • http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2010-1610
https://notcve.org/view.php?id=CVE-2010-1610
29 Apr 2010 — Cross-site request forgery (CSRF) vulnerability in index.php in OpenCart 1.4 allows remote attackers to hijack the authentication of an application administrator for requests that create an administrative account via a POST request with the route parameter set to "user/user/insert." NOTE: some of these details are obtained from third party information. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en index.php en OpenCart v1.4 permite a atacantes remotos secuestrar la autenticación d... • http://blog.visionsource.org/2010/01/28/opencart-csrf-vulnerability • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2010-0956
https://notcve.org/view.php?id=CVE-2010-0956
09 Mar 2010 — SQL injection vulnerability in index.php in OpenCart 1.3.2 allows remote attackers to execute arbitrary SQL commands via the page parameter. Vulnerabilidad de inyección SQL en index.php en OpenCart v1.3.2 permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro page. • http://packetstormsecurity.org/1003-exploits/opencart-sql.txt • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 2CVE-2009-1621 – Opencart 1.1.8 - 'route' Local File Inclusion
https://notcve.org/view.php?id=CVE-2009-1621
12 May 2009 — Directory traversal vulnerability in index.php in OpenCart 1.1.8 allows remote attackers to read arbitrary files via a .. (dot dot) in the route parameter. Vulnerabilidad de salto de directorio en index.php en OpenCart v1.1.8 permite a atacantes remotos leer archivos de su elección a través de un .. (punto punto) en el parámetro route. • https://www.exploit-db.com/exploits/8539 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2009-1027
https://notcve.org/view.php?id=CVE-2009-1027
20 Mar 2009 — SQL injection vulnerability in OpenCart 1.1.8 allows remote attackers to execute arbitrary SQL commands via the order parameter. Vulnerabilidad de inyección SQL en OpenCart v1.1.8 permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro "order". • http://secunia.com/advisories/34313 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2008-3130
https://notcve.org/view.php?id=CVE-2008-3130
10 Jul 2008 — Multiple cross-site scripting (XSS) vulnerabilities in index.php in OpenCart 0.7.7 allow remote attackers to inject arbitrary web script or HTML via the (1) firstname and (2) search parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Múltiples vulnerabilidades de secuencia de comandos en sitios cruzados (XSS) en index.php de OpenCart 0.7.7, permiten a atacantes remotos inyectar secuencias de comandos web o HTML a través de los paráme... • http://secunia.com/advisories/30177 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •