Vulnerabilities > ZEN Cart > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-08-21 | CVE-2024-5762 | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Zen-Cart ZEN Cart 1.5.8A Zen Cart findPluginAdminPage Local File Inclusion Remote Code Execution Vulnerability. | 8.1 |
| 2009-12-14 | CVE-2009-4323 | Information Disclosure vulnerability in Zen Cart The installation for Zen Cart stores sensitive information and insecure programs under the (1) docs, (2) extras, and (3) zc_install folders, and (4) install.txt, which allows remote attackers to obtain sensitive information, delete the database, and conduct other attacks via a direct request, different vulnerabilities than CVE-2009-4321 and CVE-2009-4322. | 7.5 |
| 2009-06-30 | CVE-2009-2254 | SQL Injection vulnerability in Zen-Cart ZEN Cart Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/sqlpatch.php, which allows remote attackers to execute arbitrary SQL commands via the query_string parameter in an execute action, in conjunction with a PATH_INFO of password_forgotten.php, related to a "SQL Execution" issue. | 7.5 |
| 2009-04-06 | CVE-2008-6615 | SQL Injection vulnerability in Zen-Cart ZEN Cart 2008 SQL injection vulnerability in index.php in Zen Software Zen Cart 2008 allows remote attackers to execute arbitrary SQL commands via the keyword parameter in the advanced_search_result page. | 7.5 |
| 2007-07-06 | CVE-2007-3597 | Improper Authentication vulnerability in ZEN Cart ZEN Cart Session fixation vulnerability in Zen Cart 1.3.7 and earlier allows remote attackers to hijack web sessions by setting the Cookie parameter. | 8.5 |
| 2006-08-17 | CVE-2006-4218 | File Include vulnerability in Zen Cart Directory traversal vulnerability in Zen Cart 1.3.0.2 and earlier allows remote attackers to include and possibly execute arbitrary local files via directory traversal sequences in the typefilter parameter. | 7.5 |
| 2006-08-17 | CVE-2006-4214 | SQL Injection vulnerability in ZEN Cart ZEN Cart Multiple SQL injection vulnerabilities in Zen Cart 1.3.0.2 and earlier allow remote attackers to execute arbitrary SQL commands via (1) GPC data to the ipn_get_stored_session function in ipn_main_handler.php, which can be leveraged to modify elements of $_SESSION; and allow remote authenticated users to execute arbitrary SQL commands via (2) a session id within a cookie to whos_online_session_recreate, (3) the quantity field to the add_cart function, (4) an id[] parameter when adding an item to a shopping cart, or (5) a redemption code when checking out (dc_redeem_code parameter to includes/modules/order_total/ot_coupon.php). | 7.5 |
| 2006-02-15 | CVE-2006-0696 | SQL-Injection vulnerability in Zen Cart SQL injection vulnerability in Zen Cart before 1.2.7 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 7.5 |
| 2004-12-31 | CVE-2004-2025 | SQL-Injection vulnerability in ZEN Cart ZEN Cart 1.1.3 SQL injection vulnerability in application_top.php for Zen Cart 1.1.3 before patch 2 may allow remote attackers to execute arbitrary SQL commands via the products_id parameter. | 7.5 |
| 2004-12-31 | CVE-2004-2024 | Remote Security vulnerability in ZEN Cart ZEN Cart 1.1.4 The distribution of Zen Cart 1.1.4 before patch 2 includes certain debugging code in the Admin password retrieval functionality, which allows attackers to gain administrative privileges via password_forgotten.php. | 7.5 |