CVE-2015-8352 – Zen Cart 1.5.4 - Local File Inclusion
https://notcve.org/view.php?id=CVE-2015-8352
Directory traversal vulnerability in Zen Cart 1.5.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the act parameter to ajax.php. Una vulnerabilidad de salto de directorio en Zen Cart 1.5.4 permite que atacantes remotos incluyan y ejecuten archivos locales arbitrarios mediante un ".." (punto punto) en el parámetro act en ajax.php Zen Cart version 1.5.4 suffers from a local file inclusion vulnerability. • https://www.exploit-db.com/exploits/39017 http://www.securityfocus.com/archive/1/537129/100/0/threaded https://www.htbridge.com/advisory/HTB23282 https://www.zen-cart.com/showthread.php?218914-Security-Patches-for-v1-5-4-November-2015 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2012-1413
https://notcve.org/view.php?id=CVE-2012-1413
Cross-site scripting (XSS) vulnerability in zc_install/includes/modules/pages/database_setup/header_php.php in Zen Cart 1.5.0 and earlier, when the software is being installed, allows remote attackers to inject arbitrary web script or HTML via the db_username parameter to zc_install/index.php. Vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en zc_install/includes/modules/pages/database_setup/header_php.php en Zen Cart 1.5.0 y anteriores cuando el software está siendo instalado, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro de db_username zc_install / index.php. • https://www.trustwave.com/spiderlabs/advisories/TWSL2012-004.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •