Vulnerabilities > Oscommerce > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2012-11-04 | CVE-2012-5795 | Improper Input Validation vulnerability in multiple products The PayPal Express module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | 5.8 |
| 2012-11-04 | CVE-2012-5794 | Improper Input Validation vulnerability in multiple products The MoneyBookers module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | 5.8 |
| 2012-11-04 | CVE-2012-5793 | Improper Input Validation vulnerability in multiple products The Authorize.Net module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | 5.8 |
| 2012-11-04 | CVE-2012-5792 | Improper Input Validation vulnerability in multiple products The Sage Pay Direct module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | 5.8 |
| 2012-09-19 | CVE-2012-2991 | The PayPal (aka MODULE_PAYMENT_PAYPAL_STANDARD) module before 1.1 in osCommerce Online Merchant before 2.3.4 allows remote attackers to set the payment recipient via a modified value of the merchant's e-mail address, as demonstrated by setting the recipient to one's self. | 5.0 |
| 2012-05-27 | CVE-2012-2935 | Cross-Site Scripting vulnerability in Oscommerce Online Merchant Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Shop/Application/Checkout/pages/main.php in OSCommerce Online Merchant 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the value_title parameter, a different vulnerability than CVE-2012-1059. | 4.3 |
| 2012-02-14 | CVE-2012-1059 | Cross-Site Scripting vulnerability in Oscommerce Online Merchant 3.0.2 Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Shop/Application/Cart/pages/main.php in OSCommerce Online Merchant 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the value_title parameter, as demonstrated using the "Front" field in the shirt module. | 4.3 |
| 2012-01-26 | CVE-2012-0312 | Cross-Site Scripting vulnerability in Oscommerce Online Merchant and Oscommerce Cross-site scripting (XSS) vulnerability in osCommerce 2.2MS1J before R9, and osCommerce Online Merchant before 2.3.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2012-01-26 | CVE-2012-0311 | Cross-Site Scripting vulnerability in Oscommerce Cross-site scripting (XSS) vulnerability in osCommerce 2.2MS1J before R9 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2011-09-24 | CVE-2011-3767 | Information Exposure vulnerability in Oscommerce 3.0A5 osCommerce 3.0a5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by redirect.php. | 5.0 |