Vulnerabilities > ZEN Cart > ZEN Cart > 1.3.0.1

DATE CVE VULNERABILITY TITLE RISK
2015-02-27 CVE-2015-0882 Cross-site Scripting vulnerability in Zen-Cart ZEN Cart
Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka Zen Cart Japanese edition) 1.3 jp through 1.3.0.2 jp8 and 1.5 ja through 1.5.1 ja allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to admin/includes/init_includes/init_sanitize.php and includes/init_includes/init_sanitize.php.
network
zen-cart CWE-79
4.3
4.3
2012-05-27 CVE-2012-1413 Cross-Site Scripting vulnerability in Zen-Cart ZEN Cart
Cross-site scripting (XSS) vulnerability in zc_install/includes/modules/pages/database_setup/header_php.php in Zen Cart 1.5.0 and earlier, when the software is being installed, allows remote attackers to inject arbitrary web script or HTML via the db_username parameter to zc_install/index.php.
network
high complexity
zen-cart CWE-79
2.6
2.6
2011-11-29 CVE-2011-4567 Cross-Site Scripting vulnerability in Zen-Cart ZEN Cart
Cross-site scripting (XSS) vulnerability in includes/templates/template_default/templates/tpl_gv_send_default.php in Zen Cart before 1.5 allows remote attackers to inject arbitrary web script or HTML via the message parameter in a gv_send action to index.php, a different vulnerability than CVE-2011-4547.
network
zen-cart CWE-79
4.3
4.3
2009-06-30 CVE-2009-2255 Improper Authentication vulnerability in Zen-Cart ZEN Cart
Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/record_company.php, which allows remote attackers to execute arbitrary code by uploading a .php file via the record_company_image parameter in conjunction with a PATH_INFO of password_forgotten.php, then accessing this file via a direct request to the file in images/.
network
zen-cart CWE-287
6.8
6.8
2009-06-30 CVE-2009-2254 SQL Injection vulnerability in Zen-Cart ZEN Cart
Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/sqlpatch.php, which allows remote attackers to execute arbitrary SQL commands via the query_string parameter in an execute action, in conjunction with a PATH_INFO of password_forgotten.php, related to a "SQL Execution" issue.
network
low complexity
zen-cart CWE-89
7.5
7.5