CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 3CVE-2014-10033 – osCommerce 2.3.3.4 - 'geo_zones.php?zID' SQL Injection
https://notcve.org/view.php?id=CVE-2014-10033
SQL injection vulnerability in the update_zone function in catalog/admin/geo_zones.php in osCommerce Online Merchant 2.3.3.4 and earlier allows remote administrators to execute arbitrary SQL commands via the zID parameter in a list action. Vulnerabilidad de inyección SQL en la función update_zone en catalog/admin/geo_zones.php en osCommerce Online Merchant 2.3.3.4 y anteriores permite a administradores remotos ejecutar comandos SQL arbitrarios a través del parámetro zID en una acción de listar. • https://www.exploit-db.com/exploits/31515 http://osvdb.org/show/osvdb/103365 http://www.exploit-db.com/exploits/31515 http://www.secgeek.net/oscommerce-v2x-sql-injection-vulnerability https://exchange.xforce.ibmcloud.com/vulnerabilities/91113 https://github.com/gburton/oscommerce2/commit/e4d90eccd7d9072ebe78da4c38fb048bfe31c902 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.0EPSS: 0%CPEs: 5EXPL: 0CVE-2012-2991
https://notcve.org/view.php?id=CVE-2012-2991
The PayPal (aka MODULE_PAYMENT_PAYPAL_STANDARD) module before 1.1 in osCommerce Online Merchant before 2.3.4 allows remote attackers to set the payment recipient via a modified value of the merchant's e-mail address, as demonstrated by setting the recipient to one's self. El módulo PayPal (también conocido como MODULE_PAYMENT_PAYPAL_STANDARD)anterior a v1.1 en osCommerce Online Merchant anteriores a v2.3.4 permite a atacantes remotos, fijar el receptor de pago a través de un valor modificado en la dirección de correo electrónico del comerciante, como se demostró fijando el valor del receptor a uno mismo. • http://secunia.com/advisories/50640 http://www.kb.cert.org/vuls/id/459446 •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2012-2935
https://notcve.org/view.php?id=CVE-2012-2935
Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Shop/Application/Checkout/pages/main.php in OSCommerce Online Merchant 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the value_title parameter, a different vulnerability than CVE-2012-1059. Vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en osCommerce/OM/Core/Site/Shop/Application/Checkout/pages/main.php en OSCommerce Online Merchant v3.0.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro value_title, una vulnerabilidad diferente a CVE-2012-1059. • https://exchange.xforce.ibmcloud.com/vulnerabilities/75900 https://github.com/osCommerce/oscommerce/commit/a5aeb0448cc333cc4b801c0e01981b218fd9c7df • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 2.6EPSS: 0%CPEs: 5EXPL: 1CVE-2012-1792
https://notcve.org/view.php?id=CVE-2012-1792
Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Setup/Application/Install/RPC/DBCheck.php in OSCommerce Online Merchant 3.0.2, when the software is being installed, allows remote attackers to inject arbitrary web script or HTML via the name parameter to oscommerce/index.php, which is not properly handled in an error message. NOTE: this might not be a vulnerability, since the ability to access oscommerce/index.php during installation may already imply administrator privileges. Vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en osCommerce/OM/Core/Site/Setup/Application/Install/RPC/DBCheck.php en OSCommerce Online Merchant v3.0.2 cuando el software está siendo instalado, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro de nombre de oscommerce / index.php, que no se maneja adecuadamente, en un mensaje de error. NOTA: esto podría no ser una vulnerabilidad, ya que la capacidad de acceder a oscommerce / index.php durante la instalación ya puede implicar privilegios de administrador. • https://www.trustwave.com/spiderlabs/advisories/TWSL2012-005.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •