Total
77 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-43711 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | N/A | 5.4 MEDIUM |
| Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "admin_firstname" parameter, potentially leading to unauthorized execution of scripts within a user's web browser. | |||||
| CVE-2023-43710 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | N/A | 5.4 MEDIUM |
| Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "configuration_title[1][MODULE_SHIPPING_PERCENT_TEXT_TITLE]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser. | |||||
| CVE-2023-43709 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | N/A | 5.4 MEDIUM |
| Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "configuration_title[1](MODULE)" parameter, potentially leading to unauthorized execution of scripts within a user's web browser. | |||||
| CVE-2023-43708 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | N/A | 5.4 MEDIUM |
| Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "configuration_title[1](MODULE_PAYMENT_SAGE_PAY_SERVER_TEXT_TITLE)" parameter, potentially leading to unauthorized execution of scripts within a user's web browser. | |||||
| CVE-2023-43707 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | N/A | 5.4 MEDIUM |
| Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "CatalogsPageDescriptionForm[1][name] " parameter, potentially leading to unauthorized execution of scripts within a user's web browser. | |||||
| CVE-2023-43706 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | N/A | 5.4 MEDIUM |
| Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "email_templates_key" parameter, potentially leading to unauthorized execution of scripts within a user's web browser. | |||||
| CVE-2023-43705 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | N/A | 5.4 MEDIUM |
| Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "translation_value[1]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser. | |||||
| CVE-2023-43704 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | N/A | 5.4 MEDIUM |
| Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "title" parameter, potentially leading to unauthorized execution of scripts within a user's web browser. | |||||
| CVE-2023-43703 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | N/A | 5.4 MEDIUM |
| Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "product_info[][name]" parameter, potentially leading to unauthorized execution of scripts within a user's web browser. | |||||
| CVE-2023-43702 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | N/A | 5.4 MEDIUM |
| Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject JS through the "tracking_number" parameter, potentially leading to unauthorized execution of scripts within a user's web browser. | |||||
| CVE-2022-35212 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | N/A | 6.1 MEDIUM |
| osCommerce2 before v2.3.4.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the function tep_db_error(). | |||||
| CVE-2020-29070 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters. | |||||
| CVE-2020-27976 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option. | |||||
| CVE-2020-27975 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF. | |||||
| CVE-2020-23360 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| oscommerce v2.3.4.1 has a functional problem in user registration and password rechecking, where a non-identical password can bypass the checks in /catalog/admin/administrators.php and /catalog/password_reset.php | |||||
| CVE-2018-18573 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Remote authenticated administrators can upload new '.htaccess' files (e.g., omitting .php) and subsequently achieve arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&action=new_product URI. | |||||
| CVE-2018-18572 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Because of this filter, script files with certain PHP-related extensions (such as .phtml and .php5) didn't execute in the application. But this filter didn't prevent the '.pht' extension. Thus, remote authenticated administrators can upload '.pht' files for arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&action=new_product URI. | |||||