CVE-2015-0882
https://notcve.org/view.php?id=CVE-2015-0882
Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka Zen Cart Japanese edition) 1.3 jp through 1.3.0.2 jp8 and 1.5 ja through 1.5.1 ja allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to admin/includes/init_includes/init_sanitize.php and includes/init_includes/init_sanitize.php. Múltiples vulnerabilidades de XSS en zencart-ja (también conocido como Zen Cart Japanese edition) 1.3 jp hasta 1.3.0.2 jp8 y 1.5 ja hasta 1.5.1 ja permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de un parámetro manipulado, relacionado con admin/includes/init_includes/init_sanitize.php e includes/init_includes/init_sanitize.php. • http://jvn.jp/en/jp/JVN44544694/281242/index.html http://jvn.jp/en/jp/JVN44544694/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2015-000027 https://github.com/zencart-ja/zc-v1-series/commit/022949bd09444d7e58703cc537dbbd5744c381b8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-1413
https://notcve.org/view.php?id=CVE-2012-1413
Cross-site scripting (XSS) vulnerability in zc_install/includes/modules/pages/database_setup/header_php.php in Zen Cart 1.5.0 and earlier, when the software is being installed, allows remote attackers to inject arbitrary web script or HTML via the db_username parameter to zc_install/index.php. Vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en zc_install/includes/modules/pages/database_setup/header_php.php en Zen Cart 1.5.0 y anteriores cuando el software está siendo instalado, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro de db_username zc_install / index.php. • https://www.trustwave.com/spiderlabs/advisories/TWSL2012-004.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-4567 – Zen Cart CMS 1.3.9h - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2011-4567
Cross-site scripting (XSS) vulnerability in includes/templates/template_default/templates/tpl_gv_send_default.php in Zen Cart before 1.5 allows remote attackers to inject arbitrary web script or HTML via the message parameter in a gv_send action to index.php, a different vulnerability than CVE-2011-4547. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en en includes/templates/template_default/templates/tpl_gv_send_default.php en Zen Cart antes de v1.5 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro del mensaje en una acción gv_send a index.php. Se trata de una vulnerabilidad diferente a CVE-2011 hasta 4.547. • https://www.exploit-db.com/exploits/36346 http://www.securityfocus.com/bid/50787 https://exchange.xforce.ibmcloud.com/vulnerabilities/71519 https://www.dognaedis.com/vulns/DGS-SEC-8.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2009-4321
https://notcve.org/view.php?id=CVE-2009-4321
extras/curltest.php in Zen Cart 1.3.8 and 1.3.8a, and possibly other versions, allows remote attackers to read arbitrary files via a file:// URI. NOTE: some of these details are obtained from third party information. extras/curltest.php en Zen Cart v1.3.8 y v1.3.8a, y posiblemente otras versiones, permite a atacantes remotos leer ficheros arbitrarios a través de un fichero file:// URI. NOTA: Algunos de los detalles fueron obtenidos de terceras partes. • http://osvdb.org/60892 http://secunia.com/advisories/37630 http://www.acunetix.com/blog/websecuritynews/acusensor-curl-and-zen-cart http://www.securityfocus.com/archive/1/508340/100/0/threaded http://www.securityfocus.com/bid/37283 http://www.vupen.com/english/advisories/2009/3474 http://www.zen-cart.com/forum/showthread.php?t=142784 https://exchange.xforce.ibmcloud.com/vulnerabilities/54687 • CWE-20: Improper Input Validation •
CVE-2008-6986
https://notcve.org/view.php?id=CVE-2008-6986
SQL injection vulnerability in the actionMultipleAddProduct function in includes/classes/shopping_cart.php in Zen Cart 1.3.0 through 1.3.8a, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the products_id array parameter in a multiple_products_add_product action, a different vulnerability than CVE-2008-6985. Vulnerabilidad de inyección SQL en la función actionMultipleAddProduct en includes/classes/shopping_cart.php en Zen Cartv v1.3.0 hasta v1.3.8a, cuando magic_quotes_gpc es desactivada, permite a atacantes remotos ejecutar comandos SQL a su elección a través del parámetro products_id en una acción multiple_products_add_product, una vulnerabilidad diferente a CVE-2008-6985. • http://secunia.com/advisories/31758 http://www.gulftech.org/?node=research&article_id=00129-09042008 http://www.osvdb.org/48347 http://www.securityfocus.com/archive/1/496002/100/0/threaded http://www.securityfocus.com/archive/1/496032/100/100/threaded http://www.securityfocus.com/bid/31023 http://www.zen-cart.com/forum/showthread.php?p=604473 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •