CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 4CVE-2014-3990 – OpenCart 1.5.6.4 PHP Object Injection
https://notcve.org/view.php?id=CVE-2014-3990
The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitrary code via a crafted serialized PHP object, related to the quantity parameter in an update request. El método Cart::getProducts en system/library/cart.php en OpenCart, en versiones 1.5.6.4 y anteriores, permite que atacantes remotos lleven a cabo ataques de SSRF (Server-Side Request Forgery) o de XEE (XML External Entity), así como ejecutar código arbitrario mediante un objeto PHP serializado manipulado. Esto se relaciona con el parámetro quantity en una petición de actualización. OpenCart versions 1.5.6.4 and below suffer from a PHP objection injection vulnerability. • http://karmainsecurity.com/KIS-2014-08 http://packetstormsecurity.com/files/127460/OpenCart-1.5.6.4-PHP-Object-Injection.html http://seclists.org/fulldisclosure/2014/Jul/67 http://www.securityfocus.com/archive/1/532763/100/0/threaded http://www.securityfocus.com/bid/68529 https://github.com/opencart-ce/opencart-ce/commit/c2aafc823bd85876f5e888f8ebc421069a5e076f • CWE-611: Improper Restriction of XML External Entity Reference CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2008-3130
https://notcve.org/view.php?id=CVE-2008-3130
Multiple cross-site scripting (XSS) vulnerabilities in index.php in OpenCart 0.7.7 allow remote attackers to inject arbitrary web script or HTML via the (1) firstname and (2) search parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Múltiples vulnerabilidades de secuencia de comandos en sitios cruzados (XSS) en index.php de OpenCart 0.7.7, permiten a atacantes remotos inyectar secuencias de comandos web o HTML a través de los parámetros (1) firstname y (2) search. NOTA: el origen de esta información es desconocido; los detalles se han obtenido únicamente de información de terceros. • http://secunia.com/advisories/30177 https://exchange.xforce.ibmcloud.com/vulnerabilities/43504 https://exchange.xforce.ibmcloud.com/vulnerabilities/43505 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •