9 matches found
CVE-2018-18965
CVE-2018-18965 affects osCommerce 2.3.4.1. The catalog/images/.htaccess blacklist bans the .html extension on the product page, but other cases allow HTML to be executed, such as files with no extension or unrecognized extensions (e.g., test or test.asdf). The connected documents do not provide e...
CVE-2018-18966
CVE-2018-18966 affects osCommerce 2.3.4.1. The issue is an incomplete .htaccess blacklist in catalog/images/ that bans the html extension, while Internet Explorer can render HTML elements in a .eml file. This can enable HTML content handling despite the filter. CVSS2 v2.0 base 4.0 (Medium) and CV...
CVE-2012-0312
CVE-2012-0312 affects osCommerce: XSS in osCommerce 2.2MS1J before R9 and osCommerce Online Merchant before 2.3.1 allows remote attackers to inject arbitrary scripts/HTML via unspecified vectors. Documented impact is execution of script in the user’s browser; no exploitation details are provided ...
CVE-2012-1792
OSCommerce Online Merchant 3.0.2 has a documented XSS vulnerability in the installer path: DBCheck.php during installation, where the name parameter to oscommerce/index.php is not properly sanitized in an error message, allowing injection of arbitrary script/HTML. The root cause is improper handl...
CVE-2018-18964
CVE-2018-18964 affects osCommerce 2.3.4.1. An incomplete blacklist in the catalog/images/.htaccess for the product page bans the html extension, but HTML can still be executed via other extensions (e.g., .svg). The document does not specify a fixed patch or exact exploit vector beyond this restri...
CVE-2012-1059
CVE-2012-1059 describes a Cross-site scripting (XSS) vulnerability in OSCommerce Online Merchant 3.0.2. The issue affects the cart component at OSCommerce/OM/Core/Site/Shop/Application/Cart/pages/main.php where user-supplied input in the value_title parameter can be echoed back to the page, allow...
CVE-2012-2935
CVE-2012-2935 describes a cross-site scripting (XSS) vulnerability in OSCommerce Online Merchant 3.0.2. The flaw affects the file path OSCommerce/OM/Core/Site/Shop/Application/Checkout/pages/main.php, where a crafted value_title parameter can inject arbitrary web script/HTML. This is the checkout...
CVE-2012-2991
OSS Commerce PayPal Standard module vulnerability CVE-2012-2991: in osCommerce Online Merchant, the PayPal (MODULE_PAYMENT_PAYPAL_STANDARD) integration prior to v1.1 in the PayPal module for pre-2.3.4 supports altering the merchant email address on the client side, allowing remote attackers to se...
CVE-2014-10033
The CVE-2014-10033 entry describes an SQL injection in the update_zone function of osCommerce Online Merchant 2.3.3.4 and earlier. The vulnerability exists in catalog/admin/geo_zones.php, where remote administrators can trigger arbitrary SQL execution via the zID parameter in a list action. The i...