CVSS: 5.8EPSS: 1%CPEs: 21EXPL: 9CVE-2012-0865 – CubeCart 3.0.20 - '/admin/login.php?goto' Arbitrary Site Redirect
https://notcve.org/view.php?id=CVE-2012-0865
Multiple open redirect vulnerabilities in CubeCart 3.0.20 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) r parameter to switch.php or (2) goto parameter to admin/login.php. Múltiples vulnerabilidades de redirección abierta en CubeCart v3.0.20 y anteriores permite a atacantes remotos redirigir a los usuarios a sitios web arbitrarias y llevar a cabo ataques de phishing a través de una URL en el parámetro (1) r para switch.php o (2) el parámetro goto para admin / login. php. • https://www.exploit-db.com/exploits/36686 https://www.exploit-db.com/exploits/36685 https://www.exploit-db.com/exploits/36687 http://archives.neohapsis.com/archives/bugtraq/2012-02/0058.html http://osvdb.org/79140 http://osvdb.org/79141 http://www.openwall.com/lists/oss-security/2012/02/12/4 http://www.openwall.com/lists/oss-security/2012/02/13/5 http://www.openwall.com/lists/oss-security/2012/02/18/1 http://www.securityfocus.com/bid/51966 http:&#x • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2010-4903
https://notcve.org/view.php?id=CVE-2010-4903
SQL injection vulnerability in index.php in CubeCart 4.3.3 allows remote attackers to execute arbitrary SQL commands via the searchStr parameter. Vulnerabilidad de inyección SQL en index.php en CubeCart v4.3.3, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro searchStr. • http://secunia.com/advisories/41352 http://securityreason.com/securityalert/8441 http://www.acunetix.com/blog/web-security-zone/articles/sql-injection-xss-cubecart-4-3-3 http://www.securityfocus.com/archive/1/513572/100/0/threaded http://www.securityfocus.com/bid/43114 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2011-3724
https://notcve.org/view.php?id=CVE-2011-3724
CubeCart 4.4.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/shipping/USPS/calc.php and certain other files. CubeCart v4.4.3 permite a atacantes remotos obtener información sensible a través de una petición directa a un archivo .php, lo que revela la ruta de instalación en un mensaje de error, como se demostró con modules/shipping/USPS/calc.php y algunos otros archivos. • http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/CubeCart-4.4.3 http://www.openwall.com/lists/oss-security/2011/06/27/6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 4CVE-2010-1931 – CubeCart PHP 4.3.x - 'shipkey' SQL Injection
https://notcve.org/view.php?id=CVE-2010-1931
SQL injection vulnerability in includes/content/cart.inc.php in CubeCart PHP Shopping cart 4.3.4 through 4.3.9 allows remote attackers to execute arbitrary SQL commands via the shipKey parameter to index.php. Vulnerabilidad de inyección SQL en includes/content/cart.inc.php en CubeCart PHP Shopping cart v4.3.4 hasta v4.3.9 permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro shipKey en index.php. • https://www.exploit-db.com/exploits/14117 http://forums.cubecart.com/index.php?showtopic=41469 http://osvdb.org/65250 http://secunia.com/advisories/40102 http://www.coresecurity.com/content/cubecart-php-shopping-cart-sql-injection http://www.securityfocus.com/archive/1/511735/100/0/threaded http://www.securityfocus.com/bid/40641 https://exchange.xforce.ibmcloud.com/vulnerabilities/59245 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 43EXPL: 1CVE-2009-4060 – CubeCart 3.0.4/4.3.6 - 'ProductID' SQL Injection
https://notcve.org/view.php?id=CVE-2009-4060
SQL injection vulnerability in includes/content/viewProd.inc.php in CubeCart before 4.3.7 remote attackers to execute arbitrary SQL commands via the productId parameter. Una vulnerabilidad de inyección SQL en includes/content/viewProd.inc.php en CubeCart antes de v4.3.7 permite ejecutar comandos SQL a atacantes remotos a través del parámetro ProductID. • https://www.exploit-db.com/exploits/33362 http://forums.cubecart.com/index.php?showtopic=39900 http://osvdb.org/60306 http://secunia.com/advisories/37402 http://www.securityfocus.com/bid/37065 http://www.vupen.com/english/advisories/2009/3290 https://exchange.xforce.ibmcloud.com/vulnerabilities/54331 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •