1.2.3d

DATE	CVE	VULNERABILITY TITLE	RISK
2012-05-27	CVE-2012-1413	Cross-Site Scripting vulnerability in Zen-Cart ZEN Cart Cross-site scripting (XSS) vulnerability in zc_install/includes/modules/pages/database_setup/header_php.php in Zen Cart 1.5.0 and earlier, when the software is being installed, allows remote attackers to inject arbitrary web script or HTML via the db_username parameter to zc_install/index.php. network high complexity zen-cart CWE-79	2.6
2011-11-29	CVE-2011-4567	Cross-Site Scripting vulnerability in Zen-Cart ZEN Cart Cross-site scripting (XSS) vulnerability in includes/templates/template_default/templates/tpl_gv_send_default.php in Zen Cart before 1.5 allows remote attackers to inject arbitrary web script or HTML via the message parameter in a gv_send action to index.php, a different vulnerability than CVE-2011-4547. network zen-cart CWE-79	4.3
2009-08-19	CVE-2008-6985	SQL Injection vulnerability in Zen-Cart ZEN Cart Multiple SQL injection vulnerabilities in includes/classes/shopping_cart.php in Zen Cart 1.2.0 through 1.3.8a, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the id parameter when (1) adding or (2) updating the shopping cart. network zen-cart CWE-89	6.8
2009-06-30	CVE-2009-2255	Improper Authentication vulnerability in Zen-Cart ZEN Cart Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/record_company.php, which allows remote attackers to execute arbitrary code by uploading a .php file via the record_company_image parameter in conjunction with a PATH_INFO of password_forgotten.php, then accessing this file via a direct request to the file in images/. network zen-cart CWE-287	6.8
2009-06-30	CVE-2009-2254	SQL Injection vulnerability in Zen-Cart ZEN Cart Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/sqlpatch.php, which allows remote attackers to execute arbitrary SQL commands via the query_string parameter in an execute action, in conjunction with a PATH_INFO of password_forgotten.php, related to a "SQL Execution" issue. network low complexity zen-cart CWE-89	7.5
2006-08-17	CVE-2006-4218	File Include vulnerability in Zen Cart Directory traversal vulnerability in Zen Cart 1.3.0.2 and earlier allows remote attackers to include and possibly execute arbitrary local files via directory traversal sequences in the typefilter parameter. network low complexity zen-cart	7.5
2006-02-15	CVE-2006-0698	SQL-Injection vulnerability in Zen Cart Unspecified vulnerabilities in Zen Cart before 1.2.7 allow remote attackers to cause unknown impact via unspecified vectors related to "other attempted exploits" other than SQL injection. network low complexity zen-cart critical	10.0
2006-02-15	CVE-2006-0697	Permissions, Privileges, and Access Controls vulnerability in Zen-Cart ZEN Cart Zen Cart before 1.2.7 does not protect the admin/includes directory, which allows remote attackers to cause unknown impact via unspecified vectors, probably direct requests. network low complexity zen-cart CWE-264 critical	10.0
2006-02-15	CVE-2006-0696	SQL-Injection vulnerability in Zen Cart SQL injection vulnerability in Zen Cart before 1.2.7 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. network low complexity zen-cart	7.5
2005-12-05	CVE-2005-3996	SQL Injection vulnerability in Zen-Cart ZEN Cart SQL injection vulnerability in admin/password_forgotten.php in Zen Cart 1.2.6d and earlier allows remote attackers to execute arbitrary SQL commands via the admin_email parameter. network high complexity zen-cart CWE-89	5.1