Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Oscommerce Subscribe
Filtered by product Online Merchant
Total 10 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-18964 1 Oscommerce 1 Online Merchant 2020-08-24 4.0 MEDIUM 4.9 MEDIUM
osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. The .htaccess file in catalog/images/ bans the html extension, but there are several extensions in which contained HTML can be executed, such as the svg extension.
CVE-2018-18966 2 Microsoft, Oscommerce 2 Internet Explorer, Online Merchant 2020-08-24 4.0 MEDIUM 4.9 MEDIUM
osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. The .htaccess file in catalog/images/ bans the html extension, but Internet Explorer render HTML elements in a .eml file.
CVE-2018-18965 1 Oscommerce 1 Online Merchant 2020-08-24 4.0 MEDIUM 4.9 MEDIUM
osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. The .htaccess file in catalog/images/ bans the html extension, but there are several alternative cases in which HTML can be executed, such as a file with no extension or an unrecognized extension (e.g., the test or test.asdf filename).
CVE-2008-4765 1 Oscommerce 2 Online Merchant, Poll Booth 2017-09-28 7.5 HIGH N/A
SQL injection vulnerability in pollBooth.php in osCommerce Poll Booth Add-On 2.0 allows remote attackers to execute arbitrary SQL commands via the pollID parameter in a results operation. NOTE: this issue was disclosed by an unreliable researcher, so it might be incorrect.
CVE-2014-10033 1 Oscommerce 1 Online Merchant 2017-09-07 6.5 MEDIUM N/A
SQL injection vulnerability in the update_zone function in catalog/admin/geo_zones.php in osCommerce Online Merchant 2.3.3.4 and earlier allows remote administrators to execute arbitrary SQL commands via the zID parameter in a list action.
CVE-2012-2935 1 Oscommerce 1 Online Merchant 2017-08-28 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Shop/Application/Checkout/pages/main.php in OSCommerce Online Merchant 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the value_title parameter, a different vulnerability than CVE-2012-1059.
CVE-2012-1059 1 Oscommerce 1 Online Merchant 2017-08-28 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Shop/Application/Cart/pages/main.php in OSCommerce Online Merchant 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the value_title parameter, as demonstrated using the "Front" field in the shirt module.
CVE-2012-2991 2 Oscommerce, Paypal 2 Online Merchant, Website Payments Standard Module 2013-03-01 5.0 MEDIUM N/A
The PayPal (aka MODULE_PAYMENT_PAYPAL_STANDARD) module before 1.1 in osCommerce Online Merchant before 2.3.4 allows remote attackers to set the payment recipient via a modified value of the merchant's e-mail address, as demonstrated by setting the recipient to one's self.
CVE-2012-1792 1 Oscommerce 1 Online Merchant 2012-05-27 2.6 LOW N/A
Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Setup/Application/Install/RPC/DBCheck.php in OSCommerce Online Merchant 3.0.2, when the software is being installed, allows remote attackers to inject arbitrary web script or HTML via the name parameter to oscommerce/index.php, which is not properly handled in an error message. NOTE: this might not be a vulnerability, since the ability to access oscommerce/index.php during installation may already imply administrator privileges.
CVE-2012-0312 1 Oscommerce 2 Online Merchant, Oscommerce 2012-02-05 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in osCommerce 2.2MS1J before R9, and osCommerce Online Merchant before 2.3.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.