Vulnerabilities > ZEN Cart > ZEN Cart > 1.3.0.2

DATE CVE VULNERABILITY TITLE RISK
2015-02-27 CVE-2015-0882 Cross-site Scripting vulnerability in Zen-Cart ZEN Cart
Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka Zen Cart Japanese edition) 1.3 jp through 1.3.0.2 jp8 and 1.5 ja through 1.5.1 ja allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to admin/includes/init_includes/init_sanitize.php and includes/init_includes/init_sanitize.php.
network
zen-cart CWE-79
4.3
4.3
2012-05-27 CVE-2012-1413 Cross-Site Scripting vulnerability in Zen-Cart ZEN Cart
Cross-site scripting (XSS) vulnerability in zc_install/includes/modules/pages/database_setup/header_php.php in Zen Cart 1.5.0 and earlier, when the software is being installed, allows remote attackers to inject arbitrary web script or HTML via the db_username parameter to zc_install/index.php.
network
high complexity
zen-cart CWE-79
2.6
2.6
2011-11-29 CVE-2011-4567 Cross-Site Scripting vulnerability in Zen-Cart ZEN Cart
Cross-site scripting (XSS) vulnerability in includes/templates/template_default/templates/tpl_gv_send_default.php in Zen Cart before 1.5 allows remote attackers to inject arbitrary web script or HTML via the message parameter in a gv_send action to index.php, a different vulnerability than CVE-2011-4547.
network
zen-cart CWE-79
4.3
4.3
2009-08-19 CVE-2008-6986 SQL Injection vulnerability in Zen-Cart ZEN Cart
SQL injection vulnerability in the actionMultipleAddProduct function in includes/classes/shopping_cart.php in Zen Cart 1.3.0 through 1.3.8a, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the products_id array parameter in a multiple_products_add_product action, a different vulnerability than CVE-2008-6985.
network
zen-cart CWE-89
6.8
6.8
2009-06-30 CVE-2009-2255 Improper Authentication vulnerability in Zen-Cart ZEN Cart
Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/record_company.php, which allows remote attackers to execute arbitrary code by uploading a .php file via the record_company_image parameter in conjunction with a PATH_INFO of password_forgotten.php, then accessing this file via a direct request to the file in images/.
network
zen-cart CWE-287
6.8
6.8
2009-06-30 CVE-2009-2254 SQL Injection vulnerability in Zen-Cart ZEN Cart
Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/sqlpatch.php, which allows remote attackers to execute arbitrary SQL commands via the query_string parameter in an execute action, in conjunction with a PATH_INFO of password_forgotten.php, related to a "SQL Execution" issue.
network
low complexity
zen-cart CWE-89
7.5
7.5
2006-08-17 CVE-2006-4218 File Include vulnerability in Zen Cart
Directory traversal vulnerability in Zen Cart 1.3.0.2 and earlier allows remote attackers to include and possibly execute arbitrary local files via directory traversal sequences in the typefilter parameter.
network
low complexity
zen-cart
7.5
7.5
2006-07-21 CVE-2006-3757 Information Disclosure vulnerability in ZEN Cart ZEN Cart 1.3.0.2
index.php in Zen Cart 1.3.0.2 allows remote attackers to obtain sensitive information via empty (1) _GET[], (2) _SESSION[], (3) _POST[], (4) _COOKIE[], or (5) _SESSION[] array parameters, which reveals the installation path in an error message.
network
low complexity
zen-cart
5.0
5.0