Vulnerabilities > Oscommerce > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-01-27 | CVE-2020-23360 | Incorrect Comparison vulnerability in Oscommerce 2.3.4.1 oscommerce v2.3.4.1 has a functional problem in user registration and password rechecking, where a non-identical password can bypass the checks in /catalog/admin/administrators.php and /catalog/password_reset.php | 7.5 |
| 2011-12-05 | CVE-2011-4543 | Path Traversal vulnerability in Oscommerce 3.0.2 Multiple directory traversal vulnerabilities in osCommerce 3.0.2 allow remote attackers to include and execute arbitrary local files via a .. | 7.5 |
| 2008-10-28 | CVE-2008-4765 | SQL Injection vulnerability in Oscommerce Poll Booth 2.0 SQL injection vulnerability in pollBooth.php in osCommerce Poll Booth Add-On 2.0 allows remote attackers to execute arbitrary SQL commands via the pollID parameter in a results operation. | 7.5 |
| 2008-02-12 | CVE-2008-0719 | SQL Injection vulnerability in Oscommerce Customer Testimonials and Oscommerce SQL injection vulnerability in customer_testimonials.php in the Customer Testimonials 3 and 3.1 Addon for osCommerce Online Merchant 2.2 allows remote attackers to execute arbitrary SQL commands via the testimonial_id parameter. | 7.5 |
| 2006-12-14 | CVE-2006-6533 | Input Validation vulnerability in Oscommerce 3.0A3 Directory traversal vulnerability in admin/templates_boxes_layout.php in osCommerce 3.0a3 allows remote attackers to include and execute arbitrary PHP files via a .. | 7.5 |
| 2006-08-23 | CVE-2006-4297 | SQL Injection vulnerability in Oscommerce 2.2Ms220060817 SQL injection vulnerability in shopping_cart.php in osCommerce before 2.2 Milestone 2 060817 allows remote attackers to execute arbitrary SQL commands via id array parameters. | 7.5 |
| 2004-12-31 | CVE-2004-2638 | Unspecified vulnerability in Oscommerce 1.5.1 The Admin Access With Levels plugin in osCommerce 1.5.1 allows remote attackers to access files in the "admin/" directory by modifying the in_login parameter to a non-zero value. | 7.5 |
| 2004-06-01 | CVE-2004-2044 | PHP-Nuke 7.3, and other products that use the PHP-Nuke codebase such as the Nuke Cops betaNC PHP-Nuke Bundle, OSCNukeLite 3.1, and OSC2Nuke 7x do not properly use the eregi() PHP function with $_SERVER['PHP_SELF'] to identify the calling script, which allows remote attackers to directly access scripts, obtain path information via a PHP error message, and possibly gain access, as demonstrated using an HTTP request that contains the "admin.php" string. | 7.5 |