Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Zen_cart
(Zen\-Cart)| Repositories | https://github.com/zencart-ja/zc-v1-series |
| #Vulnerabilities | 26 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-03-19 | CVE-2020-6578 | Zen Cart 1.5.6d allows reflected XSS via the main_page parameter to includes/templates/template_default/common/tpl_main_page.php or includes/templates/responsive_classic/common/tpl_main_page.php. | Zen_cart | 6.1 | ||
| 2021-01-26 | CVE-2021-3291 | Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command. | Zen_cart | 7.2 | ||
| 2017-08-24 | CVE-2015-8352 | Directory traversal vulnerability in Zen Cart 1.5.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the act parameter to ajax.php. | Zen_cart | 9.8 | ||
| 2017-05-08 | CVE-2017-8833 | Zen Cart 1.6.0 has XSS in the main_page parameter to index.php. NOTE: 1.6.0 is not an official release but the vendor's README.md file offers a link to v160.zip with a description of "Download latest in-development version from github." | Zen_cart | 6.1 | ||
| 2017-07-27 | CVE-2017-11675 | The traverseStrictSanitize function in admin_dir/includes/classes/AdminRequestSanitizer.php in ZenCart 1.5.5e mishandles key strings, which allows remote authenticated users to execute arbitrary PHP code by placing that code into an invalid array index of the admin_name array parameter to admin_dir/login.php, if there is an export of an error-log entry for that invalid array index. | Zen_cart | 8.8 | ||
| 2017-06-28 | CVE-2017-10667 | In index.php in Zen Cart 1.6.0, the products_id parameter can cause XSS. | Zen_cart | 6.1 | ||
| 2015-02-27 | CVE-2015-0882 | Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka Zen Cart Japanese edition) 1.3 jp through 1.3.0.2 jp8 and 1.5 ja through 1.5.1 ja allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to admin/includes/init_includes/init_sanitize.php and includes/init_includes/init_sanitize.php. | Zen_cart | N/A | ||
| 2012-11-04 | CVE-2012-5808 | The LinkPoint module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | Linkpoint, Zen_cart | N/A | ||
| 2012-11-04 | CVE-2012-5807 | The Authorize.Net eCheck module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | Authorize\.net_echeck_module, Zen_cart | N/A | ||
| 2012-11-04 | CVE-2012-5806 | The PayPal Payments Pro module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function, a different vulnerability than CVE-2012-5805. | Payments_pro, Zen_cart | N/A |