Product:

Zen_cart

(Zen\-Cart)
Repositories https://github.com/zencart-ja/zc-v1-series
#Vulnerabilities 27
Date Id Summary Products Score Patch Annotated
2021-01-26 CVE-2021-3291 Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command. Zen_cart 7.2
2021-03-19 CVE-2020-6578 Zen Cart 1.5.6d allows reflected XSS via the main_page parameter to includes/templates/template_default/common/tpl_main_page.php or includes/templates/responsive_classic/common/tpl_main_page.php. Zen_cart 6.1
2024-08-21 CVE-2024-5762 Zen Cart findPluginAdminPage Local File Inclusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Zen Cart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the findPluginAdminPage function. The issue results from the lack of proper validation of user-supplied data prior to passing it to a PHP include function. An attacker can leverage this in conjunction with... Zen_cart 8.1
2017-08-24 CVE-2015-8352 Directory traversal vulnerability in Zen Cart 1.5.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the act parameter to ajax.php. Zen_cart 9.8
2017-05-08 CVE-2017-8833 Zen Cart 1.6.0 has XSS in the main_page parameter to index.php. NOTE: 1.6.0 is not an official release but the vendor's README.md file offers a link to v160.zip with a description of "Download latest in-development version from github." Zen_cart 6.1
2017-07-27 CVE-2017-11675 The traverseStrictSanitize function in admin_dir/includes/classes/AdminRequestSanitizer.php in ZenCart 1.5.5e mishandles key strings, which allows remote authenticated users to execute arbitrary PHP code by placing that code into an invalid array index of the admin_name array parameter to admin_dir/login.php, if there is an export of an error-log entry for that invalid array index. Zen_cart 8.8
2017-06-28 CVE-2017-10667 In index.php in Zen Cart 1.6.0, the products_id parameter can cause XSS. Zen_cart 6.1
2015-02-27 CVE-2015-0882 Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka Zen Cart Japanese edition) 1.3 jp through 1.3.0.2 jp8 and 1.5 ja through 1.5.1 ja allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to admin/includes/init_includes/init_sanitize.php and includes/init_includes/init_sanitize.php. Zen_cart N/A
2012-11-04 CVE-2012-5808 The LinkPoint module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Linkpoint, Zen_cart N/A
2012-11-04 CVE-2012-5807 The Authorize.Net eCheck module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Authorize\.net_echeck_module, Zen_cart N/A