CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2006-4214
https://notcve.org/view.php?id=CVE-2006-4214
17 Aug 2006 — Multiple SQL injection vulnerabilities in Zen Cart 1.3.0.2 and earlier allow remote attackers to execute arbitrary SQL commands via (1) GPC data to the ipn_get_stored_session function in ipn_main_handler.php, which can be leveraged to modify elements of $_SESSION; and allow remote authenticated users to execute arbitrary SQL commands via (2) a session id within a cookie to whos_online_session_recreate, (3) the quantity field to the add_cart function, (4) an id[] parameter when adding an item to a shopping c... • http://secunia.com/advisories/21484 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 7%CPEs: 1EXPL: 1CVE-2006-4215 – Zen Cart Web Shopping Cart 1.3.0.2 - 'autoload_func.php?autoLoadConfig[999][0][loadFile]' Remote File Inclusion
https://notcve.org/view.php?id=CVE-2006-4215
17 Aug 2006 — PHP remote file inclusion vulnerability in index.php in Zen Cart 1.3.0.2 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the autoLoadConfig[999][0][loadFile] parameter. Vulnerabilidad de inclusión remota de archivo en PHP en index.php en Zen Cart 1.3.0.2 y anteriores, cuando register_globals está activado, permite a atacantes remotos ejecutar código PHP de su elección mediante una URL en el parámetro autoLoadConfig[999][0][loadFile]. • https://www.exploit-db.com/exploits/28392 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2006-3757
https://notcve.org/view.php?id=CVE-2006-3757
21 Jul 2006 — index.php in Zen Cart 1.3.0.2 allows remote attackers to obtain sensitive information via empty (1) _GET[], (2) _SESSION[], (3) _POST[], (4) _COOKIE[], or (5) _SESSION[] array parameters, which reveals the installation path in an error message. NOTE: this issue might be resultant from a global overwrite vulnerability. index.php en Zen Cart 1.3.0.2 permite a atacantes remotos obtener información sensible a través de parámetros de array vacios (1) _GET[], (2) _SESSION[], (3) _POST[], (4) _COOKIE[], o (5) _SES... • http://securityreason.com/securityalert/1253 •
CVSS: 9.8EPSS: 0%CPEs: 14EXPL: 0CVE-2006-0696
https://notcve.org/view.php?id=CVE-2006-0696
15 Feb 2006 — SQL injection vulnerability in Zen Cart before 1.2.7 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. • http://secunia.com/advisories/18801 •
CVSS: 10.0EPSS: 0%CPEs: 11EXPL: 0CVE-2006-0697
https://notcve.org/view.php?id=CVE-2006-0697
15 Feb 2006 — Zen Cart before 1.2.7 does not protect the admin/includes directory, which allows remote attackers to cause unknown impact via unspecified vectors, probably direct requests. • http://secunia.com/advisories/18801 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 0%CPEs: 14EXPL: 0CVE-2006-0698
https://notcve.org/view.php?id=CVE-2006-0698
15 Feb 2006 — Unspecified vulnerabilities in Zen Cart before 1.2.7 allow remote attackers to cause unknown impact via unspecified vectors related to "other attempted exploits" other than SQL injection. • http://secunia.com/advisories/18801 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2005-3997
https://notcve.org/view.php?id=CVE-2005-3997
05 Dec 2005 — Zen Cart 1.2.6d and earlier, under certain PHP configurations, allows remote attackers to obtain sensitive information via direct requests to files in the admin/includes directory, including (1) graphs/banner_daily.php, (2) graphs/banner_infobox.php, (3) graphs/banner_yearly.php, (4) graphs/banner_monthly.php, (5) application_bottom.php, (6) attributes_preview.php, (7) modules/category_product_listing.php, (8) modules/copy_to_confirm.php, (9) modules/delete_product_confirm.php, and (10) modules/move_product... • http://rgod.altervista.org/zencart_126d_xpl.html •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 3CVE-2005-3996 – Zen Cart 1.2.6d - 'password_forgotten.php' SQL Injection
https://notcve.org/view.php?id=CVE-2005-3996
05 Dec 2005 — SQL injection vulnerability in admin/password_forgotten.php in Zen Cart 1.2.6d and earlier allows remote attackers to execute arbitrary SQL commands via the admin_email parameter. • https://www.exploit-db.com/exploits/1354 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2004-2024
https://notcve.org/view.php?id=CVE-2004-2024
31 Dec 2004 — The distribution of Zen Cart 1.1.4 before patch 2 includes certain debugging code in the Admin password retrieval functionality, which allows attackers to gain administrative privileges via password_forgotten.php. • http://www.zen-cart.com/modules/ipb/index.php?showtopic=4873 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2004-2025
https://notcve.org/view.php?id=CVE-2004-2025
31 Dec 2004 — SQL injection vulnerability in application_top.php for Zen Cart 1.1.3 before patch 2 may allow remote attackers to execute arbitrary SQL commands via the products_id parameter. • http://www.zen-cart.com/modules/ipb/index.php?showtopic=3731 •