The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object.
Max CVSS
9.8
EPSS Score
30.19%
Published
2013-02-08
Updated
2024-01-09
CubeCart before 6.1.13 has SQL Injection via the validate[] parameter of the "I forgot my Password!" feature.
Max CVSS
9.8
EPSS Score
0.21%
Published
2019-01-15
Updated
2019-01-23
Cross-site request forgery (CSRF) vulnerability in CubeCart prior to 6.5.3 allows a remote unauthenticated attacker to delete data in the system.
Max CVSS
8.1
EPSS Score
0.07%
Published
2023-11-17
Updated
2023-11-22
classes/session/cc_admin_session.php in CubeCart 4.3.4 does not properly restrict administrative access permissions, which allows remote attackers to bypass restrictions and gain administrative access via a HTTP request that contains an empty (1) sessID (ccAdmin cookie), (2) X_CLUSTER_CLIENT_IP header, or (3) User-Agent header.
Max CVSS
7.5
EPSS Score
6.81%
Published
2009-11-06
Updated
2018-10-10
SQL injection vulnerability in includes/content/viewProd.inc.php in CubeCart before 4.3.7 remote attackers to execute arbitrary SQL commands via the productId parameter.
Max CVSS
7.5
EPSS Score
0.27%
Published
2009-11-24
Updated
2017-08-17
SQL injection vulnerability in includes/content/cart.inc.php in CubeCart PHP Shopping cart 4.3.4 through 4.3.9 allows remote attackers to execute arbitrary SQL commands via the shipKey parameter to index.php.
Max CVSS
7.5
EPSS Score
0.32%
Published
2010-06-10
Updated
2018-10-10
SQL injection vulnerability in index.php in CubeCart 4.3.3 allows remote attackers to execute arbitrary SQL commands via the searchStr parameter.
Max CVSS
7.5
EPSS Score
0.23%
Published
2011-10-08
Updated
2018-10-10
CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary OS command.
Max CVSS
7.2
EPSS Score
0.08%
Published
2023-11-17
Updated
2023-11-22
Session fixation vulnerability in CubeCart before 5.2.9 allows remote attackers to hijack web sessions via the PHPSESSID parameter.
Max CVSS
6.8
EPSS Score
16.65%
Published
2014-04-22
Updated
2017-08-29
classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x before 6.0.7 does not properly validate that a password reset request was made, which allows remote attackers to change the administrator password via a recovery request with a space character in the validate parameter and the administrator email in the email parameter.
Max CVSS
6.8
EPSS Score
1.54%
Published
2015-09-28
Updated
2016-12-07
Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors.
Max CVSS
6.5
EPSS Score
0.11%
Published
2017-04-28
Updated
2017-05-05
Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors.
Max CVSS
6.5
EPSS Score
0.14%
Published
2017-04-28
Updated
2017-05-05
Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to delete directories and files in the system.
Max CVSS
6.5
EPSS Score
0.08%
Published
2023-11-17
Updated
2023-11-22
Multiple open redirect vulnerabilities in CubeCart 3.0.20 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) r parameter to switch.php or (2) goto parameter to admin/login.php.
Max CVSS
5.8
EPSS Score
1.71%
Published
2012-02-21
Updated
2018-01-11
Cubecart 6.4.2 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session.
Max CVSS
5.5
EPSS Score
0.05%
Published
2021-05-27
Updated
2021-06-02
CubeCart 6.2.2 has Reflected XSS via a /{ADMIN-FILE}/ query string.
Max CVSS
5.4
EPSS Score
0.06%
Published
2019-01-13
Updated
2019-01-16
CubeCart 4.4.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/shipping/USPS/calc.php and certain other files.
Max CVSS
5.0
EPSS Score
0.29%
Published
2011-09-23
Updated
2012-03-13
Directory traversal vulnerability in CubeCart versions prior to 6.1.5 allows attacker with administrator rights to read arbitrary files via unspecified vectors.
Max CVSS
4.9
EPSS Score
0.09%
Published
2017-04-28
Updated
2017-05-05
Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to obtain files in the system.
Max CVSS
4.9
EPSS Score
0.07%
Published
2023-11-17
Updated
2023-11-22
Multiple cross-site scripting (XSS) vulnerabilities in index.php in CubeCart 4.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the _a parameter in a searchStr action and the (2) Submit parameter.
Max CVSS
4.3
EPSS Score
0.22%
Published
2008-03-31
Updated
2017-08-08
20 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!