PT-2026-22364

osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the products id parameter. Attackers can modify the products id value in product info.php requests and append boolean-based SQL injection...

CVE-2020-23360

oscommerce v2.3.4.1 has a functional problem in user registration and password rechecking, where a non-identical password can bypass the checks in /catalog/admin/administrators.php and /catalog/passwordreset.php...

CVE-2012-0311

Cross-site scripting XSS vulnerability in osCommerce 2.2MS1J before R9 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...

PT-2024-19544 · Unknown · Oscommerce

Name of the Vulnerable Software and Affected Versions: osCommerce version 4 Description: An issue allows local attackers to bypass file upload restrictions and execute arbitrary code via the administrator profile photo upload feature. Recommendations: For osCommerce version 4, as a temporary...

osCommerce 2.2 - osCsid Cross-Site Scripting

osCommerce 2.2 - osCsid Cross-Site Scripting source: https://www.securityfocus.com/bid/9238/info It has been reported that osCommerce may be prone to a cross-site scripting vulnerability that may allow an attacker to construct a malicious link containing HTML or script code that may be rendered i...

osCommerce 2.12.2 - Checkout_Payment.php Error Output Cross-Site Scripting

osCommerce 2.12.2 - CheckoutPayment.php Error Output Cross-Site Scripting source: https://www.securityfocus.com/bid/7155/info Error output is not sufficiently sanitized of HTML and script code by osCommerce. This may allow for cross-site scripting attacks as remote users could create a malicious...