Vulnerabilities > ZEN Cart > ZEN Cart > 1.1.3
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2012-05-27 | CVE-2012-1413 | Cross-Site Scripting vulnerability in Zen-Cart ZEN Cart Cross-site scripting (XSS) vulnerability in zc_install/includes/modules/pages/database_setup/header_php.php in Zen Cart 1.5.0 and earlier, when the software is being installed, allows remote attackers to inject arbitrary web script or HTML via the db_username parameter to zc_install/index.php. | 2.6 |
| 2011-11-29 | CVE-2011-4567 | Cross-Site Scripting vulnerability in Zen-Cart ZEN Cart Cross-site scripting (XSS) vulnerability in includes/templates/template_default/templates/tpl_gv_send_default.php in Zen Cart before 1.5 allows remote attackers to inject arbitrary web script or HTML via the message parameter in a gv_send action to index.php, a different vulnerability than CVE-2011-4547. | 4.3 |
| 2009-06-30 | CVE-2009-2255 | Improper Authentication vulnerability in Zen-Cart ZEN Cart Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/record_company.php, which allows remote attackers to execute arbitrary code by uploading a .php file via the record_company_image parameter in conjunction with a PATH_INFO of password_forgotten.php, then accessing this file via a direct request to the file in images/. | 6.8 |
| 2009-06-30 | CVE-2009-2254 | SQL Injection vulnerability in Zen-Cart ZEN Cart Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/sqlpatch.php, which allows remote attackers to execute arbitrary SQL commands via the query_string parameter in an execute action, in conjunction with a PATH_INFO of password_forgotten.php, related to a "SQL Execution" issue. | 7.5 |
| 2006-02-15 | CVE-2006-0697 | Permissions, Privileges, and Access Controls vulnerability in Zen-Cart ZEN Cart Zen Cart before 1.2.7 does not protect the admin/includes directory, which allows remote attackers to cause unknown impact via unspecified vectors, probably direct requests. | 10.0 |
| 2005-12-05 | CVE-2005-3996 | SQL Injection vulnerability in Zen-Cart ZEN Cart SQL injection vulnerability in admin/password_forgotten.php in Zen Cart 1.2.6d and earlier allows remote attackers to execute arbitrary SQL commands via the admin_email parameter. | 5.1 |
| 2004-12-31 | CVE-2004-2025 | SQL-Injection vulnerability in ZEN Cart ZEN Cart 1.1.3 SQL injection vulnerability in application_top.php for Zen Cart 1.1.3 before patch 2 may allow remote attackers to execute arbitrary SQL commands via the products_id parameter. | 7.5 |