Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Zen_cart
(Zen\-Cart)| Repositories | https://github.com/zencart-ja/zc-v1-series |
| #Vulnerabilities | 27 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-08-21 | CVE-2024-5762 | Zen Cart findPluginAdminPage Local File Inclusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Zen Cart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the findPluginAdminPage function. The issue results from the lack of proper validation of user-supplied data prior to passing it to a PHP include function. An attacker can leverage this in conjunction with... | Zen_cart | 8.1 | ||
| 2021-03-19 | CVE-2020-6578 | Zen Cart 1.5.6d allows reflected XSS via the main_page parameter to includes/templates/template_default/common/tpl_main_page.php or includes/templates/responsive_classic/common/tpl_main_page.php. | Zen_cart | 6.1 | ||
| 2021-01-26 | CVE-2021-3291 | Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command. | Zen_cart | 7.2 | ||
| 2017-08-24 | CVE-2015-8352 | Directory traversal vulnerability in Zen Cart 1.5.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the act parameter to ajax.php. | Zen_cart | 9.8 | ||
| 2017-05-08 | CVE-2017-8833 | Zen Cart 1.6.0 has XSS in the main_page parameter to index.php. NOTE: 1.6.0 is not an official release but the vendor's README.md file offers a link to v160.zip with a description of "Download latest in-development version from github." | Zen_cart | 6.1 | ||
| 2017-07-27 | CVE-2017-11675 | The traverseStrictSanitize function in admin_dir/includes/classes/AdminRequestSanitizer.php in ZenCart 1.5.5e mishandles key strings, which allows remote authenticated users to execute arbitrary PHP code by placing that code into an invalid array index of the admin_name array parameter to admin_dir/login.php, if there is an export of an error-log entry for that invalid array index. | Zen_cart | 8.8 | ||
| 2017-06-28 | CVE-2017-10667 | In index.php in Zen Cart 1.6.0, the products_id parameter can cause XSS. | Zen_cart | 6.1 | ||
| 2015-02-27 | CVE-2015-0882 | Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka Zen Cart Japanese edition) 1.3 jp through 1.3.0.2 jp8 and 1.5 ja through 1.5.1 ja allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to admin/includes/init_includes/init_sanitize.php and includes/init_includes/init_sanitize.php. | Zen_cart | N/A | ||
| 2012-11-04 | CVE-2012-5808 | The LinkPoint module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | Linkpoint, Zen_cart | N/A | ||
| 2012-11-04 | CVE-2012-5807 | The Authorize.Net eCheck module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | Authorize\.net_echeck_module, Zen_cart | N/A |