CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47675
https://notcve.org/view.php?id=CVE-2023-47675
CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary OS command. CubeCart anterior a 6.5.3 permite a un atacante remoto autenticado con privilegios administrativos ejecutar un comando arbitrario del sistema operativo. • https://forums.cubecart.com/topic/58736-cubecart-653-released-security-update https://jvn.jp/en/jp/JVN22220399 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47283
https://notcve.org/view.php?id=CVE-2023-47283
Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to obtain files in the system. Vulnerabilidad de Directory Traversal en CubeCart anterior a 6.5.3 permite a un atacante remoto autenticado con privilegios administrativos obtener archivos en el sistema. • https://forums.cubecart.com/topic/58736-cubecart-653-released-security-update https://jvn.jp/en/jp/JVN22220399 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-42428
https://notcve.org/view.php?id=CVE-2023-42428
Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to delete directories and files in the system. Vulnerabilidad de Directory Traversal en CubeCart anterior a 6.5.3 permite a un atacante remoto autenticado con privilegios administrativos eliminar directorios y archivos en el sistema. • https://forums.cubecart.com/topic/58736-cubecart-653-released-security-update https://jvn.jp/en/jp/JVN22220399 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38130
https://notcve.org/view.php?id=CVE-2023-38130
Cross-site request forgery (CSRF) vulnerability in CubeCart prior to 6.5.3 allows a remote unauthenticated attacker to delete data in the system. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en CubeCart anterior a 6.5.3 permite que un atacante remoto no autenticado elimine datos en el sistema. • https://forums.cubecart.com/topic/58736-cubecart-653-released-security-update https://jvn.jp/en/jp/JVN22220399 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-33394
https://notcve.org/view.php?id=CVE-2021-33394
Cubecart 6.4.2 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session. Cubecart versión 6.4.2, permite la fijación de sesiones. • https://github.com/cubecart/v6/commit/aac7b3a13a43e302d91f94a120417b2fda737d0f https://github.com/xoffense/POC/blob/main/Session%20Fixation%20in%20Cubecart%206.4.2.md • CWE-384: Session Fixation •