Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Ubercart Subscribe
Total 12 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2012-5804 2 Cybersource Module Project, Ubercart 2 Cybersource, Ubercart 2017-08-28 5.8 MEDIUM N/A
The CyberSource module in Ubercart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVE-2012-5803 2 Irata, Ubercart 2 Authorize.net Module, Ubercart 2017-08-28 5.8 MEDIUM N/A
The Authorize.Net module in Ubercart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVE-2012-5802 2 Paypal, Ubercart 2 Paypal, Ubercart 2017-08-28 5.8 MEDIUM N/A
The PayPal module in Ubercart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVE-2009-4771 2 Drupal, Ubercart 2 Drupal, Ubercart 2017-08-16 5.0 MEDIUM N/A
The PayPal Website Payments Standard functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal does not properly validate orders, which allows remote attackers to trigger unspecified "duplicate actions" via unknown vectors.
CVE-2009-4772 2 Drupal, Ubercart 2 Drupal, Ubercart 2017-08-16 4.3 MEDIUM N/A
Unspecified vulnerability in the PayPal Website Payments Standard functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal, when a custom checkout completion message is enabled, allows attackers to obtain sensitive information via unknown vectors.
CVE-2009-4773 2 Drupal, Ubercart 2 Drupal, Ubercart 2017-08-16 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the order-management functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
CVE-2014-9026 1 Ubercart 1 Ubercart 2014-11-20 4.0 MEDIUM N/A
The Ubercart module 7.x-3.x before 7.x-3.7 for Drupal does not properly protect the per-user order history view, which allows remote authenticated users with the "view own orders" permission to obtain sensitive information via unspecified vectors.
CVE-2012-2301 1 Ubercart 1 Ubercart 2014-11-19 6.0 MEDIUM N/A
The Ubercart module 6.x-2.x before 6.x-2.8 for Drupal allows remote authenticated users with the "administer product classes" permission to execute arbitrary PHP code via unspecified vectors.
CVE-2013-7302 2 Drupal, Ubercart 2 Drupal, Ubercart 2014-04-30 6.8 MEDIUM N/A
Session fixation vulnerability in the Ubercart module 6.x-2.x before 6.x-2.13 and 7.x-3.x before 7.x-3.6 for Drupal, when the "Log in new customers after checkout" option is enabled, allows remote attackers to hijack web sessions by leveraging knowledge of the original session ID.
CVE-2013-0322 2 Drupal, Ubercart 2 Drupal, Ubercart 2013-07-19 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in Views in the Ubercart module 7.x-3.x before 7.x-3.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via the full name field.
CVE-2012-2300 2 Drupal, Ubercart 2 Drupal, Ubercart 2012-08-15 2.1 LOW N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart module 6.x-2.x before 6.x-2.8 and 7.x-3.x before 7.x-3.1 for Drupal allow remote authenticated users with the administer product classes permission to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-2299 2 Drupal, Ubercart 2 Drupal, Ubercart 2012-08-14 2.1 LOW N/A
The Ubercart module 6.x-2.x before 6.x-2.8 and 7.x-3.x before 7.x-3.1 for Drupal stores passwords for new customers in plaintext during checkout, which allows local users to obtain sensitive information by reading from the database.