Page 3 of 14 results (0.017 seconds)

CVSS: 2.6EPSS: 1%CPEs: 1EXPL: 0

Zen Cart 1.2.6d and earlier, under certain PHP configurations, allows remote attackers to obtain sensitive information via direct requests to files in the admin/includes directory, including (1) graphs/banner_daily.php, (2) graphs/banner_infobox.php, (3) graphs/banner_yearly.php, (4) graphs/banner_monthly.php, (5) application_bottom.php, (6) attributes_preview.php, (7) modules/category_product_listing.php, (8) modules/copy_to_confirm.php, (9) modules/delete_product_confirm.php, and (10) modules/move_product_confirm.php, which leaks the web server path in the resulting error message. • http://rgod.altervista.org/zencart_126d_xpl.html http://secunia.com/advisories/17869 http://www.osvdb.org/22866 http://www.osvdb.org/22867 http://www.osvdb.org/22868 http://www.osvdb.org/22869 http://www.osvdb.org/22870 http://www.osvdb.org/22871 http://www.osvdb.org/22872 http://www.osvdb.org/22873 http://www.osvdb.org/22874 http://www.osvdb.org/22875 http://www.securityfocus.com/archive/1/418517/100/0/threaded http://www.securityfocus& •

CVSS: 5.1EPSS: 1%CPEs: 1EXPL: 3

SQL injection vulnerability in admin/password_forgotten.php in Zen Cart 1.2.6d and earlier allows remote attackers to execute arbitrary SQL commands via the admin_email parameter. • https://www.exploit-db.com/exploits/1354 http://rgod.altervista.org/zencart_126d_xpl.html http://secunia.com/advisories/17869 http://securitytracker.com/id?1015306 http://www.osvdb.org/21411 http://www.securityfocus.com/archive/1/418517/100/0/threaded http://www.securityfocus.com/archive/1/418995/100/0/threaded http://www.securityfocus.com/bid/15690 http://www.vupen.com/english/advisories/2005/2728 https://exchange.xforce.ibmcloud.com/vulnerabilities/23510 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

SQL injection vulnerability in application_top.php for Zen Cart 1.1.3 before patch 2 may allow remote attackers to execute arbitrary SQL commands via the products_id parameter. • http://www.zen-cart.com/modules/ipb/index.php?showtopic=3731 http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateD •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

SQL injection vulnerability in login.php in Zen Cart 1.1.2d, 1.1.4 before patch 1, and possibly other versions allows remote attackers to execute arbitrary SQL via the (1) admin_name or (2) admin_pass parameters. • http://marc.info/?l=bugtraq&m=108489697219781&w=2 http://secunia.com/advisories/11649 http://securitytracker.com/id?1010172 http://www.osvdb.org/6298 http://www.packetstormsecurity.org/0405-advisories/zencart112d.txt http://www.securityfocus.com/archive/1/434237/30/4950/threaded http://www.securityfocus.com/bid/10378 http://www.zen-cart.com/modules/ipb/index.php?showtopic=4835 http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateD https://exchange.xforc •