CVSS: 5.0EPSS: 5%CPEs: 11EXPL: 1CVE-2006-0922 – CubeCart 3.0.x - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2006-0922
CubeCart 3.0 through 3.6 does not properly check authorization for an administration session because of a missing auth.inc.php include, which results in an absolute path traversal vulnerability in FileUpload in connector.php (aka upload.php) that allows remote attackers to upload arbitrary files via a modified CurrentFolder parameter in a direct request to admin/filemanager/upload.php. • https://www.exploit-db.com/exploits/27304 http://securityreason.com/securityalert/482 http://www.cubecart.com/site/forums/index.php?showtopic=14704 http://www.cubecart.com/site/forums/index.php?showtopic=14817 http://www.cubecart.com/site/forums/index.php?showtopic=14825 http://www.cubecart.com/site/forums/index.php?showtopic=14960 http://www.cubecart.com/site/forums/index.php? •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 5CVE-2005-3152 – CubeCart 3.0.3 - 'cart.php?redir' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2005-3152
Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.3 allow remote attackers to inject arbitrary web script or HTML via the redir parameter to (1) cart.php or (2) index.php, or (3) the searchStr parameter in a viewCat action to index.php. Note: vectors (1) and (2) were later reported to affect 3.0.7-pl1. • https://www.exploit-db.com/exploits/26304 https://www.exploit-db.com/exploits/26303 http://bugs.cubecart.com/?do=details&id=363 http://bugs.cubecart.com/?do=details&id=459 http://lostmon.blogspot.com/2005/09/cubecart-303-multiple-variable-cross.html http://lostmon.blogspot.com/2006/01/cubecart-307-pl1-indexphp-multiple.html http://securityreason.com/securityalert/35 http://securitytracker.com/id?1014984 http://www.securityfocus.com/bid/14962 https://exchange.xforce.ibmcloud. •