CVE-2008-0719 – osCommerce Addon Customer Testimonials 3.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2008-0719
SQL injection vulnerability in customer_testimonials.php in the Customer Testimonials 3 and 3.1 Addon for osCommerce Online Merchant 2.2 allows remote attackers to execute arbitrary SQL commands via the testimonial_id parameter. Vulnerabilidad de inyección SQL en customer_testimonials.php de Customer Testimonials 3 y 3.1 Addon para osCommerce Online Merchant 2.2. Permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro testimonial_id. • https://www.exploit-db.com/exploits/5075 http://secunia.com/advisories/28831 http://www.securityfocus.com/bid/27664 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2006-5190 – osCommerce 2.2 - '/admin/banner_manager.php?page' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-5190
Multiple cross-site scripting (XSS) vulnerabilities in osCommerce 2.2 Milestone 2 Update 060817 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter in the (a) banner_manager.php, (b) banner_statistics.php, (c) countries.php, (d) currencies.php, (e) languages.php, (f) manufacturers.php, (g) newsletters.php, (h) orders_status.php, (i) products_attributes.php, (j) products_expected.php, (k) reviews.php, (l) specials.php, (m) stats_products_purchased.php, (n) stats_products_viewed.php, (o) tax_classes.php, (p) tax_rates.php, or (q) zones.php scripts in /admin, and the (2) zpage parameter in (r) admin/geo_zones.php. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados en osCommerce 2.2 Milestone 2 Update 060817 permite a un atacante remoto inyectar secuencias de comandos web o HTML de su elección a través del parámetro (1) page en las secuencias de comandos (a) banner_manager.php, (b) banner_statistics.php, (c) countries.php, (d) currencies.php, (e) languages.php, (f) manufacturers.php, (g) newsletters.php, (h) orders_status.php, (i) products_attributes.php, (j) products_expected.php, (k) reviews.php, (l) specials.php, (m) stats_products_purchased.php, (n) stats_products_viewed.php, (o) tax_classes.php, (p) tax_rates.php, o (q) zones.php en /admin, y el (2) parámetro zpage en (r) admin/geo_zones.php. • https://www.exploit-db.com/exploits/28743 https://www.exploit-db.com/exploits/28745 https://www.exploit-db.com/exploits/28746 https://www.exploit-db.com/exploits/28744 https://www.exploit-db.com/exploits/28747 https://www.exploit-db.com/exploits/28748 https://www.exploit-db.com/exploits/28749 https://www.exploit-db.com/exploits/28750 https://www.exploit-db.com/exploits/28751 https://www.exploit-db.com/exploits/28752 https://www.exploit-db.com/exploits/28753 •
CVE-2006-4297
https://notcve.org/view.php?id=CVE-2006-4297
SQL injection vulnerability in shopping_cart.php in osCommerce before 2.2 Milestone 2 060817 allows remote attackers to execute arbitrary SQL commands via id array parameters. Vulnerabilidad e inyección SQL en shopping_carg.php de osCommerce anetrior a 2.2 Milestone 2 060817 permite a atacantes remotos ejecutar comandos SQL de su elección a través de parámetros array de id. • http://forums.oscommerce.com/index.php?showtopic=223556&pid=918371 http://securitytracker.com/id?1016719 http://www.gulftech.org/?node=research&article_id=00110-08172006 http://www.securityfocus.com/archive/1/444780/100/0/threaded http://www.securityfocus.com/bid/19644 http://www.securityfocus.com/bid/19774 https://exchange.xforce.ibmcloud.com/vulnerabilities/28434 •
CVE-2006-4298
https://notcve.org/view.php?id=CVE-2006-4298
Multiple directory traversal vulnerabilities in cache.php in osCommerce before 2.2 Milestone 2 060817 allow remote attackers to determine existence of arbitrary files and disclose the installation path via a .. (dot dot) in unspecified parameters in the (1) tep_cache_also_purchased, (2) tep_cache_manufacturers_box, and (3) tep_cache_categories_box functions. Múltiples vulnerabilidades de escalado de directorio en cache.php de osCommerce anterior a 2.2 Milestone 2 060817 permiten a atacantes remotos determinar la existencia de archivos de su elección y descubrir la ruta de instalación mediante un .. (punto punto) en parámetros no especificados en las funciones (1) tep_cache_also_purchased, (2) tep_cache_manufacturers_box, y (3) tep_cache_categories_box. • http://forums.oscommerce.com/index.php?showtopic=223556&pid=918371 http://www.gulftech.org/?node=research&article_id=00110-08172006 https://exchange.xforce.ibmcloud.com/vulnerabilities/28435 •
CVE-2005-4677
https://notcve.org/view.php?id=CVE-2005-4677
SQL injection vulnerability in additional_images.php (aka the Additional Images module) before 1.14 in osCommerce allows remote attackers to execute arbitrary SQL commands via the products_id parameter to product_info.php. • http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0124.html http://secunia.com/advisories/17082 http://www.oscommerce.com/community/contributions%2C1032 http://www.osvdb.org/19874 http://www.securityfocus.com/bid/15023 http://www.vupen.com/english/advisories/2005/1974 https://exchange.xforce.ibmcloud.com/vulnerabilities/22528 •