CVE-2021-3291 – Zen Cart 1.5.7b - Remote Code Execution (Authenticated)
https://notcve.org/view.php?id=CVE-2021-3291
Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command. Zen Cart versión 1.5.7b, permite a administradores ejecutar comandos arbitrarios del Sistema Operativo inspeccionando un elemento de entrada de radio HTML (dentro de la página de edición de módulos) e insertando un comando • https://www.exploit-db.com/exploits/49608 https://github.com/ImHades101/CVE-2021-3291 http://packetstormsecurity.com/files/161613/Zen-Cart-1.5.7b-Remote-Code-Execution.html https://github.com/MucahitSaratar/zencart_auth_rce_poc • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2012-1413
https://notcve.org/view.php?id=CVE-2012-1413
Cross-site scripting (XSS) vulnerability in zc_install/includes/modules/pages/database_setup/header_php.php in Zen Cart 1.5.0 and earlier, when the software is being installed, allows remote attackers to inject arbitrary web script or HTML via the db_username parameter to zc_install/index.php. Vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en zc_install/includes/modules/pages/database_setup/header_php.php en Zen Cart 1.5.0 y anteriores cuando el software está siendo instalado, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro de db_username zc_install / index.php. • https://www.trustwave.com/spiderlabs/advisories/TWSL2012-004.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •