CVE-2012-5792

The Sage Pay Direct module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2023-43702

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.This vulnerability allows attackers to inject JS through the "tracking_number" parameter,potentially leading to unauthorized execution of scripts within a user's web browser.

CVE-2023-6296

A vulnerability was found in osCommerce 4. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /catalog/compare of the component Instant Message Handler. The manipulation of the argument compare with the input 40dz4iq">zohkx leads to cross site scri...

CVE-2011-4543

Multiple directory traversal vulnerabilities in osCommerce 3.0.2 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) set or (2) module parameter to (a) OM/Core/Site/Admin/Application/templates_modules/pages/info.php, (b) OM/Core/Site/Admin/Application/t...

CVE-2012-5797

The PayPal Pro PayFlow module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2023-43722

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.This vulnerability allows attackers to inject JS through the "orders_status_groups_name[1]" parameter,potentially leading to unauthorized execution of scripts within a user's web browser.

CVE-2018-18573

osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Remote authenticated administrators can upload new '.htaccess' files (e.g., omitting .php) and subsequently achieve arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&action=new_prod...

CVE-2023-43713

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability,which allows attackers to inject JS via the "title" parameter, in the "/admin/admin-menu/add-submit"endpoint, which can lead to unauthorized execution of scripts in a user's web browser.

CVE-2002-1991

PHP file inclusion vulnerability in osCommerce 2.1 execute arbitrary commands via the include_file parameter to include_once.php.

CVE-2020-27975

osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF.

CVE-2023-43721

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.This vulnerability allows attackers to inject JS through the "PACKING_SLIPS_SUMMARY_TITLE[1]" parameter,potentially leading to unauthorized execution of scripts within a user's web browser.

CVE-2023-43727

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.This vulnerability allows attackers to inject JS through the "stock_indication_text[1]" parameter,potentially leading to unauthorized execution of scripts within a user's web browser.

CVE-2006-4298

Multiple directory traversal vulnerabilities in cache.php in osCommerce before 2.2 Milestone 2 060817 allow remote attackers to determine existence of arbitrary files and disclose the installation path via a .. (dot dot) in unspecified parameters in the (1) tep_cache_also_purchased, (2) tep_cache_m...

CVE-2006-6533

Directory traversal vulnerability in admin/templates_boxes_layout.php in osCommerce 3.0a3 allows remote attackers to include and execute arbitrary PHP files via a .. (dot dot) in the filter parameter. NOTE: this issue can be leveraged to obtain full path information in error messages.

CVE-2008-4170

create_account.php in osCommerce 2.2 RC 2a allows remote attackers to obtain sensitive information via an invalid dob parameter, which reveals the installation path in an error message.

CVE-2012-5793

The Authorize.Net module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2020-23360

oscommerce v2.3.4.1 has a functional problem in user registration and password rechecking, where a non-identical password can bypass the checks in /catalog/admin/administrators.php and /catalog/password_reset.php

CVE-2023-43731

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.This vulnerability allows attackers to inject JS through the "zone_name" parameter,potentially leading to unauthorized execution of scripts within a user's web browser.

CVE-2023-43726

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.This vulnerability allows attackers to inject JS through the "orders_products_status_manual_name_long[1]" parameter,potentially leading to unauthorized execution of scripts within a user's web browser.

CVE-2023-43728

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.This vulnerability allows attackers to inject JS through the "stock_delivery_terms_text[1]" parameter,potentially leading to unauthorized execution of scripts within a user's web browser.

CVE-2023-43720

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.This vulnerability allows attackers to inject JS through the "BILLING_GENDER_TITLE[1]" parameter,potentially leading to unauthorized execution of scripts within a user's web browser.

CVE-2023-43723

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.This vulnerability allows attackers to inject JS through the "orders_status_name[1]" parameter,potentially leading to unauthorized execution of scripts within a user's web browser.

CVE-2023-43717

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.This vulnerability allows attackers to inject JS through the "MSEARCH_HIGHLIGHT_ENABLE_TITLE[1]" parameter,potentially leading to unauthorized execution of scripts within a user's web browser.

CVE-2023-43719

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.This vulnerability allows attackers to inject JS through the "SHIPPING_GENDER_TITLE[1]" parameter,potentially leading to unauthorized execution of scripts within a user's web browser.

CVE-2023-43725

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.This vulnerability allows attackers to inject JS through the "orders_products_status_name_long[1]" parameter,potentially leading to unauthorized execution of scripts within a user's web browser.

CVE-2023-6579

A vulnerability, which was classified as critical, has been found in osCommerce 4. Affected by this issue is some unknown functionality of the file /b2b-supermarket/shopping-cart of the component POST Parameter Handler. The manipulation of the argument estimate[country_id] leads to sql injection. T...

CVE-2025-40674

Reflected Cross-Site Scripting (XSS) in osCommerce v4. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the name of any parameter in /watch/en/about-us. This vulnerability can be exploited to steal sensitive user da...