Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Cubecart Subscribe
Filtered by product Cubecart
Total 16 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-33394 1 Cubecart 1 Cubecart 2021-06-02 5.5 MEDIUM 5.4 MEDIUM
Cubecart 6.4.2 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session.
CVE-2018-20716 1 Cubecart 1 Cubecart 2019-01-23 7.5 HIGH 9.8 CRITICAL
CubeCart before 6.1.13 has SQL Injection via the validate[] parameter of the "I forgot my Password!" feature.
CVE-2018-20703 1 Cubecart 1 Cubecart 2019-01-16 3.5 LOW 5.4 MEDIUM
CubeCart 6.2.2 has Reflected XSS via a /{ADMIN-FILE}/ query string.
CVE-2010-4903 1 Cubecart 1 Cubecart 2018-10-10 7.5 HIGH N/A
SQL injection vulnerability in index.php in CubeCart 4.3.3 allows remote attackers to execute arbitrary SQL commands via the searchStr parameter.
CVE-2010-1931 1 Cubecart 1 Cubecart 2018-10-10 7.5 HIGH N/A
SQL injection vulnerability in includes/content/cart.inc.php in CubeCart PHP Shopping cart 4.3.4 through 4.3.9 allows remote attackers to execute arbitrary SQL commands via the shipKey parameter to index.php.
CVE-2009-3904 1 Cubecart 1 Cubecart 2018-10-10 7.5 HIGH N/A
classes/session/cc_admin_session.php in CubeCart 4.3.4 does not properly restrict administrative access permissions, which allows remote attackers to bypass restrictions and gain administrative access via a HTTP request that contains an empty (1) sessID (ccAdmin cookie), (2) X_CLUSTER_CLIENT_IP header, or (3) User-Agent header.
CVE-2012-0865 1 Cubecart 1 Cubecart 2018-01-10 5.8 MEDIUM N/A
Multiple open redirect vulnerabilities in CubeCart 3.0.20 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) r parameter to switch.php or (2) goto parameter to admin/login.php.
CVE-2014-2341 1 Cubecart 1 Cubecart 2017-08-28 6.8 MEDIUM N/A
Session fixation vulnerability in CubeCart before 5.2.9 allows remote attackers to hijack web sessions via the PHPSESSID parameter.
CVE-2013-1465 1 Cubecart 1 Cubecart 2017-08-28 7.5 HIGH N/A
The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object.
CVE-2009-4060 1 Cubecart 1 Cubecart 2017-08-16 7.5 HIGH N/A
SQL injection vulnerability in includes/content/viewProd.inc.php in CubeCart before 4.3.7 remote attackers to execute arbitrary SQL commands via the productId parameter.
CVE-2008-1550 1 Cubecart 1 Cubecart 2017-08-07 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in index.php in CubeCart 4.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the _a parameter in a searchStr action and the (2) Submit parameter.
CVE-2017-2117 1 Cubecart 1 Cubecart 2017-05-05 4.0 MEDIUM 4.9 MEDIUM
Directory traversal vulnerability in CubeCart versions prior to 6.1.5 allows attacker with administrator rights to read arbitrary files via unspecified vectors.
CVE-2017-2090 1 Cubecart 1 Cubecart 2017-05-05 4.0 MEDIUM 6.5 MEDIUM
Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors.
CVE-2017-2098 1 Cubecart 1 Cubecart 2017-05-05 4.0 MEDIUM 6.5 MEDIUM
Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors.
CVE-2015-6928 1 Cubecart 1 Cubecart 2016-12-07 6.8 MEDIUM N/A
classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x before 6.0.7 does not properly validate that a password reset request was made, which allows remote attackers to change the administrator password via a recovery request with a space character in the validate parameter and the administrator email in the email parameter.
CVE-2011-3724 1 Cubecart 1 Cubecart 2012-03-12 5.0 MEDIUM N/A
CubeCart 4.4.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/shipping/USPS/calc.php and certain other files.