Vulnerabilities > Oscommerce > Oscommerce
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-25 | CVE-2020-29070 | Cross-site Scripting vulnerability in Oscommerce 2.3.4.1 osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters. | 3.5 |
| 2020-10-28 | CVE-2020-27976 | OS Command Injection vulnerability in Oscommerce osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. | 10.0 |
| 2020-10-28 | CVE-2020-27975 | Cross-Site Request Forgery (CSRF) vulnerability in Oscommerce osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF. | 6.8 |
| 2019-08-22 | CVE-2018-18573 | Code Injection vulnerability in Oscommerce 2.3.4.1 osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. | 6.5 |
| 2019-08-22 | CVE-2018-18572 | Unrestricted Upload of File with Dangerous Type vulnerability in Oscommerce 2.3.4.1 osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. | 6.5 |
| 2015-06-28 | CVE-2015-2965 | Path Traversal vulnerability in Oscommerce Directory traversal vulnerability in osCommerce Japanese 2.2ms1j-R8 and earlier allows remote authenticated administrators to read arbitrary files via unspecified vectors. | 4.0 |
| 2012-11-04 | CVE-2012-5798 | Improper Input Validation vulnerability in multiple products The PayPal Pro PayFlow EC module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | 5.8 |
| 2012-11-04 | CVE-2012-5797 | Improper Input Validation vulnerability in multiple products The PayPal Pro PayFlow module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | 5.8 |
| 2012-11-04 | CVE-2012-5796 | Improper Input Validation vulnerability in multiple products The PayPal Pro module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | 5.8 |
| 2012-11-04 | CVE-2012-5795 | Improper Input Validation vulnerability in multiple products The PayPal Express module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | 5.8 |