RSS   Podatności dla 'Cubecart'   RSS

2021-05-27
 
CVE-2021-33394

CWE-384
 

 
Cubecart 6.4.2 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session.

 
2019-01-15
 
CVE-2018-20716

CWE-89
 

 
CubeCart before 6.1.13 has SQL Injection via the validate[] parameter of the "I forgot my Password!" feature.

 
2019-01-13
 
CVE-2018-20703

CWE-79
 

 
CubeCart 6.2.2 has Reflected XSS via a /{ADMIN-FILE}/ query string.

 
2017-04-28
 
CVE-2017-2117

 

 
Directory traversal vulnerability in CubeCart versions prior to 6.1.5 allows attacker with administrator rights to read arbitrary files via unspecified vectors.

 
 
CVE-2017-2098

 

 
Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors.

 
 
CVE-2017-2090

 

 
Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors.

 
2015-09-28
 
CVE-2015-6928

 

 
classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x before 6.0.7 does not properly validate that a password reset request was made, which allows remote attackers to change the administrator password via a recovery request with a space character in the validate parameter and the administrator email in the email parameter.

 
2014-04-22
 
CVE-2014-2341

CWE-287
 

 
Session fixation vulnerability in CubeCart before 5.2.9 allows remote attackers to hijack web sessions via the PHPSESSID parameter.

 
2013-02-08
 
CVE-2013-1465

CWE-20
 

 
The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object.

 
2012-02-21
 
CVE-2012-0865

CWE-20
 

 
Multiple open redirect vulnerabilities in CubeCart 3.0.20 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) r parameter to switch.php or (2) goto parameter to admin/login.php.

 


Copyright 2024, cxsecurity.com

 

Back to Top