Directory traversal

Multiple directory traversal vulnerabilities in cpCommerce 1.1.0 allow remote attackers to include and execute arbitrary local files via a .. dot dot in 1 the language parameter in a language action to the default URI, which is not properly handled in actions/language.act.php, or 2 the action...

CVE-2008-1908

Multiple directory traversal vulnerabilities in cpCommerce 1.1.0 allow remote attackers to include and execute arbitrary local files via a .. dot dot in 1 the language parameter in a language action to the default URI, which is not properly handled in actions/language.act.php, or 2 the action...

CVE-2008-1906

CVE-2008-1906 describes a cross-site scripting (XSS) vulnerability in cpCommerce 1.1.0, specifically in calendar.php. The issue allows remote attackers to inject arbitrary web script or HTML via the year parameter in a view.year action. The description and associated references confirm the vulner...

CVE-2008-1908

Multiple directory traversal vulnerabilities in cpCommerce 1.1.0 allow remote attackers to include and execute arbitrary local files via a .. dot dot in 1 the language parameter in a language action to the default URI, which is not properly handled in actions/language.act.php, or 2 the action...

CVE-2008-1907

CVE-2008-1907 describes multiple SQL injection vulnerabilities in cpCommerce 1.1.0, specifically in functions/display_page.func.php. The attacker can remotely execute arbitrary SQL commands via the (1) id_product, (2) id_manufacturer, and (3) id_category parameters to unspecified components, indi...

CVE-2008-1908

CVE-2008-1908 affects cpCommerce 1.1.0 with multiple directory traversal vulnerabilities. The flaws allow remote attackers to include and execute arbitrary local files via a .. in (1) the language parameter used by a language action to the default URI (not properly handled in actions/language.act...

CVE-2007-2968

cpCommerce 1.1.0 and earlier contains an XSS vulnerability in register.php via the name field (Full Name). Remote attackers can inject arbitrary web script/HTML. Affected component: register.php in cpCommerce 1.1.0 and earlier. No remediation details are provided in the supplied documents. Exploi...

CVE-2007-2890

SQL injection vulnerability in category.php in cpCommerce 1.1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the idcategory parameter...

CPCommerce 1.1 - 'manufacturer.php' SQL Injection

source: https://www.securityfocus.com/bid/24223/info cpCommerce is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify...