Search
Find a vulnerability
Search criteria
164 vulnerabilities found for osCommerce by osCommerce
CVE-2019-25497 (GCVE-0-2019-25497)
Vulnerability from nvd – Published: 2026-02-27 17:23 – Updated: 2026-04-07 14:04
VLAI
Title
osCommerce 2.3.4.1 SQL Injection via currency Parameter
Summary
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. Attackers can send GET requests to shopping_cart.php with malicious currency values using boolean-based SQL injection payloads to extract sensitive database information.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/46328 | exploit |
| https://www.oscommerce.com | product |
| https://www.vulncheck.com/advisories/oscommerce-s… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Oscommerce | osCommerce |
Affected:
2.3.4.1
|
Date Public
2019-02-06 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-25497",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:21:44.856726Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:21:53.283Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "osCommerce",
"vendor": "Oscommerce",
"versions": [
{
"status": "affected",
"version": "2.3.4.1"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oscommerce:oscommerce:4.0:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mehmet EMIROGLU"
}
],
"datePublic": "2019-02-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. Attackers can send GET requests to shopping_cart.php with malicious currency values using boolean-based SQL injection payloads to extract sensitive database information."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:04:45.609Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46328",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46328"
},
{
"name": "osCommerce Official Website",
"tags": [
"product"
],
"url": "https://www.oscommerce.com"
},
{
"name": "VulnCheck Advisory: osCommerce 2.3.4.1 SQL Injection via currency Parameter",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/oscommerce-sql-injection-via-currency-parameter"
}
],
"title": "osCommerce 2.3.4.1 SQL Injection via currency Parameter",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25497",
"datePublished": "2026-02-27T17:23:38.536Z",
"dateReserved": "2026-02-27T17:18:18.855Z",
"dateUpdated": "2026-04-07T14:04:45.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25496 (GCVE-0-2019-25496)
Vulnerability from nvd – Published: 2026-02-27 17:23 – Updated: 2026-04-07 14:04
VLAI
Title
osCommerce 2.3.4.1 SQL Injection via products_id Parameter
Summary
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the products_id parameter. Attackers can modify the products_id value in product_info.php requests and append boolean-based SQL injection payloads to extract sensitive database information.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/46329 | exploit |
| https://www.oscommerce.com | product |
| https://www.vulncheck.com/advisories/oscommerce-s… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Oscommerce | osCommerce |
Affected:
2.3.4.1
|
Date Public
2019-02-06 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-25496",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:22:18.810445Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:22:26.478Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "osCommerce",
"vendor": "Oscommerce",
"versions": [
{
"status": "affected",
"version": "2.3.4.1"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oscommerce:oscommerce:4.0:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mehmet EMIROGLU"
}
],
"datePublic": "2019-02-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the products_id parameter. Attackers can modify the products_id value in product_info.php requests and append boolean-based SQL injection payloads to extract sensitive database information."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:04:44.882Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46329",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46329"
},
{
"name": "osCommerce Official Website",
"tags": [
"product"
],
"url": "https://www.oscommerce.com"
},
{
"name": "VulnCheck Advisory: osCommerce 2.3.4.1 SQL Injection via products_id Parameter",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/oscommerce-sql-injection-via-productsid-parameter"
}
],
"title": "osCommerce 2.3.4.1 SQL Injection via products_id Parameter",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25496",
"datePublished": "2026-02-27T17:23:37.732Z",
"dateReserved": "2026-02-27T17:18:08.829Z",
"dateUpdated": "2026-04-07T14:04:44.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25495 (GCVE-0-2019-25495)
Vulnerability from nvd – Published: 2026-02-27 17:23 – Updated: 2026-04-07 14:04
VLAI
Title
osCommerce 2.3.4.1 SQL Injection via reviews_id Parameter
Summary
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviews_id parameter. Attackers can send GET requests to product_reviews_write.php with malicious reviews_id values using boolean-based SQL injection payloads to extract sensitive database information.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/46330 | exploit |
| https://www.oscommerce.com | product |
| https://www.vulncheck.com/advisories/oscommerce-s… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Oscommerce | osCommerce |
Affected:
2.3.4.1
|
Date Public
2019-02-06 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-25495",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:25:52.208291Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:26:12.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "osCommerce",
"vendor": "Oscommerce",
"versions": [
{
"status": "affected",
"version": "2.3.4.1"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oscommerce:oscommerce:4.0:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mehmet EMIROGLU"
}
],
"datePublic": "2019-02-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviews_id parameter. Attackers can send GET requests to product_reviews_write.php with malicious reviews_id values using boolean-based SQL injection payloads to extract sensitive database information."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:04:44.088Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46330",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46330"
},
{
"name": "osCommerce Official Website",
"tags": [
"product"
],
"url": "https://www.oscommerce.com"
},
{
"name": "VulnCheck Advisory: osCommerce 2.3.4.1 SQL Injection via reviews_id Parameter",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/oscommerce-sql-injection-via-reviewsid-parameter"
}
],
"title": "osCommerce 2.3.4.1 SQL Injection via reviews_id Parameter",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25495",
"datePublished": "2026-02-27T17:23:36.955Z",
"dateReserved": "2026-02-27T17:17:58.726Z",
"dateUpdated": "2026-04-07T14:04:44.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2009-20006 (GCVE-0-2009-20006)
Vulnerability from nvd – Published: 2025-09-16 14:33 – Updated: 2026-05-15 11:13
VLAI
Title
osCommerce <= 2.2 Admin File Manager Arbitrary PHP Code Execution
Summary
osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to upload a .php file containing arbitrary code, which is then executed by the server.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://raw.githubusercontent.com/rapid7/metasplo… | exploit |
| https://www.exploit-db.com/exploits/9556 | exploit |
| https://www.exploit-db.com/exploits/16899 | exploit |
| https://www.oscommerce.com/ | product |
| https://www.vulncheck.com/advisories/oscommerce-a… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| osCommerce | osCommerce |
Affected:
0 , ≤ 2.2 RC2a
(custom)
|
Date Public
2009-08-31 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2009-20006",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T18:17:27.036021Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T18:17:29.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/16899"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/9556"
},
{
"tags": [
"exploit"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/oscommerce_filemanager.rb"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"admin/file_manager.php"
],
"product": "osCommerce",
"vendor": "osCommerce",
"versions": [
{
"lessThanOrEqual": "2.2 RC2a",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oscommerce:oscommerce:2.2:*:*:*:*:*:*:*",
"versionEndIncluding": "rc_2a",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "flyh4t"
}
],
"datePublic": "2009-08-31T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to upload a .php file containing arbitrary code, which is then executed by the server."
}
],
"value": "osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to upload a .php file containing arbitrary code, which is then executed by the server."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T11:13:15.916Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/oscommerce_filemanager.rb"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/9556"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/16899"
},
{
"tags": [
"product"
],
"url": "https://www.oscommerce.com/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/oscommerce-arbitrary-php-code-execution"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "osCommerce \u003c= 2.2 Admin File Manager Arbitrary PHP Code Execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2009-20006",
"datePublished": "2025-09-16T14:33:40.335Z",
"dateReserved": "2025-08-27T18:34:34.964Z",
"dateUpdated": "2026-05-15T11:13:15.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40674 (GCVE-0-2025-40674)
Vulnerability from nvd – Published: 2025-06-17 08:50 – Updated: 2025-06-17 14:31
VLAI
Title
Reflected Cross-Site Scripting (XSS) in osCommerce
Summary
Reflected Cross-Site Scripting (XSS) in osCommerce v4. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the name of any parameter in /watch/en/about-us. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| osCommerce | osCommerce |
Affected:
v4
|
Date Public
2025-06-16 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-40674",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T14:29:04.792133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T14:31:48.511Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "osCommerce",
"vendor": "osCommerce",
"versions": [
{
"status": "affected",
"version": "v4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gonzalo Aguilar Garc\u00eda (6h4ack)"
}
],
"datePublic": "2025-06-16T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Reflected Cross-Site Scripting (XSS) in osCommerce v4. This vulnerability allows an attacker to execute JavaScript code in the victim\u0027s browser by sending the victim a malicious URL using the name of any parameter in /watch/en/about-us. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user."
}
],
"value": "Reflected Cross-Site Scripting (XSS) in osCommerce v4. This vulnerability allows an attacker to execute JavaScript code in the victim\u0027s browser by sending the victim a malicious URL using the name of any parameter in /watch/en/about-us. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T08:50:17.363Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-oscommerce"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is no reported solution at this time.\u003cbr\u003e"
}
],
"value": "There is no reported solution at this time."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Reflected Cross-Site Scripting (XSS) in osCommerce",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-40674",
"datePublished": "2025-06-17T08:50:17.363Z",
"dateReserved": "2025-04-16T08:38:14.999Z",
"dateUpdated": "2025-06-17T14:31:48.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22724 (GCVE-0-2024-22724)
Vulnerability from nvd – Published: 2024-03-21 00:00 – Updated: 2024-08-06 14:32
VLAI
Summary
An issue was discovered in osCommerce v4, allows local attackers to bypass file upload restrictions and execute arbitrary code via administrator profile photo upload feature.
Severity
6.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| oscommerce | oscommerce |
Affected:
v4
cpe:2.3:a:oscommerce:oscommerce:-:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:51:11.101Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://medium.com/%40cupc4k3/oscommerce-v4-rce-unveiling-the-file-upload-bypass-threat-f1ac0097880c"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/osCommerce/osCommerce-V4/issues/62"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:oscommerce:oscommerce:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "oscommerce",
"vendor": "oscommerce",
"versions": [
{
"status": "affected",
"version": "v4"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-22724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-06T14:02:53.543373Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T14:32:24.651Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in osCommerce v4, allows local attackers to bypass file upload restrictions and execute arbitrary code via administrator profile photo upload feature."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-21T03:32:39.582Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://medium.com/%40cupc4k3/oscommerce-v4-rce-unveiling-the-file-upload-bypass-threat-f1ac0097880c"
},
{
"url": "https://github.com/osCommerce/osCommerce-V4/issues/62"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-22724",
"datePublished": "2024-03-21T00:00:00.000Z",
"dateReserved": "2024-01-11T00:00:00.000Z",
"dateUpdated": "2024-08-06T14:32:24.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6609 (GCVE-0-2023-6609)
Vulnerability from nvd – Published: 2023-12-08 14:31 – Updated: 2024-08-02 08:35
VLAI
Title
osCommerce all-products cross site scripting
Summary
A vulnerability was found in osCommerce 4. It has been classified as problematic. This affects an unknown part of the file /b2b-supermarket/catalog/all-products. The manipulation of the argument keywords with the input %27%22%3E%3Cimg%2Fsrc%3D1+onerror%3Dalert%28document.cookie%29%3E leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247245 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity
CWE
- CWE-79 - Cross Site Scripting
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.247245 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.247245 | signaturepermissions-required |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | osCommerce |
Affected:
4
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.822Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.247245"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.247245"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "osCommerce",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "xfwang (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in osCommerce 4. It has been classified as problematic. This affects an unknown part of the file /b2b-supermarket/catalog/all-products. The manipulation of the argument keywords with the input %27%22%3E%3Cimg%2Fsrc%3D1+onerror%3Dalert%28document.cookie%29%3E leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247245 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in osCommerce 4 ausgemacht. Sie wurde als problematisch eingestuft. Es betrifft eine unbekannte Funktion der Datei /b2b-supermarket/catalog/all-products. Durch das Beeinflussen des Arguments keywords mit der Eingabe %27%22%3E%3Cimg%2Fsrc%3D1+onerror%3Dalert%28document.cookie%29%3E mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-08T14:31:05.304Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.247245"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.247245"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-08T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-12-08T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-12-08T09:08:09.000Z",
"value": "VulDB entry last update"
}
],
"title": "osCommerce all-products cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-6609",
"datePublished": "2023-12-08T14:31:05.304Z",
"dateReserved": "2023-12-08T08:02:56.375Z",
"dateUpdated": "2024-08-02T08:35:14.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6579 (GCVE-0-2023-6579)
Vulnerability from nvd – Published: 2023-12-07 21:31 – Updated: 2025-02-13 17:26
VLAI
Title
osCommerce POST Parameter shopping-cart sql injection
Summary
A vulnerability, which was classified as critical, has been found in osCommerce 4. Affected by this issue is some unknown functionality of the file /b2b-supermarket/shopping-cart of the component POST Parameter Handler. The manipulation of the argument estimate[country_id] leads to sql injection. The attack may be launched remotely. The identifier of this vulnerability is VDB-247160. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity
7.3 (High)
7.3 (High)
CWE
- CWE-89 - SQL Injection
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.247160 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.247160 | signaturepermissions-required |
| http://packetstormsecurity.com/files/176124/osCom… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | osCommerce |
Affected:
4
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.684Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.247160"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.247160"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/176124/osCommerce-4-SQL-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"POST Parameter Handler"
],
"product": "osCommerce",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "skalvin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as critical, has been found in osCommerce 4. Affected by this issue is some unknown functionality of the file /b2b-supermarket/shopping-cart of the component POST Parameter Handler. The manipulation of the argument estimate[country_id] leads to sql injection. The attack may be launched remotely. The identifier of this vulnerability is VDB-247160. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine kritische Schwachstelle wurde in osCommerce 4 entdeckt. Davon betroffen ist unbekannter Code der Datei /b2b-supermarket/shopping-cart der Komponente POST Parameter Handler. Dank Manipulation des Arguments estimate[country_id] mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-08T17:06:19.162Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.247160"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.247160"
},
{
"url": "http://packetstormsecurity.com/files/176124/osCommerce-4-SQL-Injection.html"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-07T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-12-07T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-12-07T14:08:19.000Z",
"value": "VulDB entry last update"
}
],
"title": "osCommerce POST Parameter shopping-cart sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-6579",
"datePublished": "2023-12-07T21:31:04.204Z",
"dateReserved": "2023-12-07T13:03:04.194Z",
"dateUpdated": "2025-02-13T17:26:27.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6296 (GCVE-0-2023-6296)
Vulnerability from nvd – Published: 2023-11-26 21:31 – Updated: 2025-02-13 17:26
VLAI
Title
osCommerce Instant Message compare cross site scripting
Summary
A vulnerability was found in osCommerce 4. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /catalog/compare of the component Instant Message Handler. The manipulation of the argument compare with the input 40dz4iq"><script>alert(1)</script>zohkx leads to cross site scripting. The attack may be launched remotely. VDB-246122 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity
4.3 (Medium)
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross Site Scripting
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.246122 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.246122 | signaturepermissions-required |
| http://packetstormsecurity.com/files/175925/osCom… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | osCommerce |
Affected:
4
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:28:20.954Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.246122"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.246122"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/175925/osCommerce-4-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6296",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T15:30:54.965241Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T15:35:06.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Instant Message Handler"
],
"product": "osCommerce",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "skalvin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in osCommerce 4. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /catalog/compare of the component Instant Message Handler. The manipulation of the argument compare with the input 40dz4iq\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003ezohkx leads to cross site scripting. The attack may be launched remotely. VDB-246122 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine problematische Schwachstelle wurde in osCommerce 4 ausgemacht. Dies betrifft einen unbekannten Teil der Datei /catalog/compare der Komponente Instant Message Handler. Durch Manipulieren des Arguments compare mit der Eingabe 40dz4iq\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003ezohkx mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-27T17:06:15.658Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.246122"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.246122"
},
{
"url": "http://packetstormsecurity.com/files/175925/osCommerce-4-Cross-Site-Scripting.html"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-11-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-11-26T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-11-26T08:25:56.000Z",
"value": "VulDB entry last update"
}
],
"title": "osCommerce Instant Message compare cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-6296",
"datePublished": "2023-11-26T21:31:04.142Z",
"dateReserved": "2023-11-26T07:20:43.976Z",
"dateUpdated": "2025-02-13T17:26:16.997Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-5112 (GCVE-0-2023-5112)
Vulnerability from nvd – Published: 2023-09-30 22:08 – Updated: 2024-09-20 17:21
VLAI
Title
Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)
Summary
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.
This vulnerability allows attackers to inject JS through the "specials_type_name[1]" parameter,
potentially leading to unauthorized execution of scripts within a user's web browser.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Os Commerce | Os Commerce |
Affected:
4.12.56860
|
Date Public
2023-09-30 22:07
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:44:53.942Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oscommerce.com/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5112",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T17:21:04.723228Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T17:21:19.814Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Os Commerce",
"vendor": "Os Commerce",
"versions": [
{
"status": "affected",
"version": "4.12.56860"
}
]
}
],
"datePublic": "2023-09-30T22:07:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\u003cbr\u003eThis vulnerability allows attackers to inject JS through the \"\u003cspan style=\"background-color: var(--wht);\"\u003especials_type_name[1]\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\" parameter,\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003c/span\u003epotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\nThis vulnerability allows attackers to inject JS through the \"specials_type_name[1]\" parameter,\npotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-06T15:50:56.131Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"url": "https://www.oscommerce.com/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2023-5112",
"datePublished": "2023-09-30T22:08:55.337Z",
"dateReserved": "2023-09-21T18:57:33.901Z",
"dateUpdated": "2024-09-20T17:21:19.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-5111 (GCVE-0-2023-5111)
Vulnerability from nvd – Published: 2023-09-30 22:08 – Updated: 2024-09-20 17:22
VLAI
Title
Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)
Summary
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.
This vulnerability allows attackers to inject JS through the "featured_type_name[1]" parameter,
potentially leading to unauthorized execution of scripts within a user's web browser.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Os Commerce | Os Commerce |
Affected:
4.12.56860
|
Date Public
2023-09-30 22:05
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:44:53.816Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oscommerce.com/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5111",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T17:21:50.750446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T17:22:03.180Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Os Commerce",
"vendor": "Os Commerce",
"versions": [
{
"status": "affected",
"version": "4.12.56860"
}
]
}
],
"datePublic": "2023-09-30T22:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\u003cbr\u003eThis vulnerability allows attackers to inject JS through the \"\u003cspan style=\"background-color: var(--wht);\"\u003efeatured_type_name[1]\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\" parameter,\u003c/span\u003e\u003cbr\u003epotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\nThis vulnerability allows attackers to inject JS through the \"featured_type_name[1]\" parameter,\npotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-03T23:12:48.211Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"url": "https://www.oscommerce.com/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2023-5111",
"datePublished": "2023-09-30T22:08:52.218Z",
"dateReserved": "2023-09-21T18:57:26.464Z",
"dateUpdated": "2024-09-20T17:22:03.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43735 (GCVE-0-2023-43735)
Vulnerability from nvd – Published: 2023-09-30 22:08 – Updated: 2024-09-20 17:22
VLAI
Title
Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)
Summary
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.
This vulnerability allows attackers to inject JS through the "formats_titles[7]" parameter,
potentially leading to unauthorized execution of scripts within a user's web browser.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Os Commerce | Os Commerce |
Affected:
4.12.56860
|
Date Public
2023-09-30 22:02
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:52:10.914Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oscommerce.com/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43735",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T17:22:21.884028Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T17:22:35.282Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Os Commerce",
"vendor": "Os Commerce",
"versions": [
{
"status": "affected",
"version": "4.12.56860"
}
]
}
],
"datePublic": "2023-09-30T22:02:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\u003cbr\u003eThis vulnerability allows attackers to inject JS through the \"\u003cspan style=\"background-color: var(--wht);\"\u003eformats_titles[7]\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\" parameter,\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003c/span\u003epotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\nThis vulnerability allows attackers to inject JS through the \"formats_titles[7]\" parameter,\npotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-06T16:01:24.388Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"url": "https://www.oscommerce.com/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2023-43735",
"datePublished": "2023-09-30T22:08:49.377Z",
"dateReserved": "2023-09-21T18:57:16.184Z",
"dateUpdated": "2024-09-20T17:22:35.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43734 (GCVE-0-2023-43734)
Vulnerability from nvd – Published: 2023-09-30 22:08 – Updated: 2024-09-20 17:23
VLAI
Title
Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)
Summary
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.
This vulnerability allows attackers to inject JS through the "name" parameter,
potentially leading to unauthorized execution of scripts within a user's web browser.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Os Commerce | Os Commerce |
Affected:
4.12.56860
|
Date Public
2023-09-30 22:01
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:52:10.951Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oscommerce.com/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43734",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T17:23:08.182873Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T17:23:23.073Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Os Commerce",
"vendor": "Os Commerce",
"versions": [
{
"status": "affected",
"version": "4.12.56860"
}
]
}
],
"datePublic": "2023-09-30T22:01:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\u003cbr\u003eThis vulnerability allows attackers to inject JS through the \"\u003cspan style=\"background-color: var(--wht);\"\u003ename\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\" parameter,\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003c/span\u003epotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\nThis vulnerability allows attackers to inject JS through the \"name\" parameter,\npotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-06T16:01:08.394Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"url": "https://www.oscommerce.com/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2023-43734",
"datePublished": "2023-09-30T22:08:47.176Z",
"dateReserved": "2023-09-21T18:57:16.184Z",
"dateUpdated": "2024-09-20T17:23:23.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43733 (GCVE-0-2023-43733)
Vulnerability from nvd – Published: 2023-09-30 22:08 – Updated: 2024-09-20 17:23
VLAI
Title
Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)
Summary
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.
This vulnerability allows attackers to inject JS through the "company_address" parameter,
potentially leading to unauthorized execution of scripts within a user's web browser.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Os Commerce | Os Commerce |
Affected:
4.12.56860
|
Date Public
2023-09-30 21:57
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:52:10.817Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oscommerce.com/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43733",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T17:23:46.449773Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T17:23:58.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Os Commerce",
"vendor": "Os Commerce",
"versions": [
{
"status": "affected",
"version": "4.12.56860"
}
]
}
],
"datePublic": "2023-09-30T21:57:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\u003cbr\u003eThis vulnerability allows attackers to inject JS through the \"\u003cspan style=\"background-color: var(--wht);\"\u003ecompany_address\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\" parameter,\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003c/span\u003epotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\nThis vulnerability allows attackers to inject JS through the \"company_address\" parameter,\npotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-06T16:00:58.685Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"url": "https://www.oscommerce.com/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2023-43733",
"datePublished": "2023-09-30T22:08:44.735Z",
"dateReserved": "2023-09-21T18:57:16.184Z",
"dateUpdated": "2024-09-20T17:23:58.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43732 (GCVE-0-2023-43732)
Vulnerability from nvd – Published: 2023-09-30 22:08 – Updated: 2024-09-20 17:34
VLAI
Title
Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)
Summary
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.
This vulnerability allows attackers to inject JS through the "tax_class_title" parameter,
potentially leading to unauthorized execution of scripts within a user's web browser.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Os Commerce | Os Commerce |
Affected:
4.12.56860
|
Date Public
2023-09-30 21:56
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:44.177Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oscommerce.com/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43732",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T17:34:17.384101Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T17:34:35.143Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Os Commerce",
"vendor": "Os Commerce",
"versions": [
{
"status": "affected",
"version": "4.12.56860"
}
]
}
],
"datePublic": "2023-09-30T21:56:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\u003cbr\u003eThis vulnerability allows attackers to inject JS through the \"\u003cspan style=\"background-color: var(--wht);\"\u003etax_class_title\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\" parameter,\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003c/span\u003epotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\nThis vulnerability allows attackers to inject JS through the \"tax_class_title\" parameter,\npotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-06T16:00:41.320Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"url": "https://www.oscommerce.com/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2023-43732",
"datePublished": "2023-09-30T22:08:42.715Z",
"dateReserved": "2023-09-21T18:57:16.184Z",
"dateUpdated": "2024-09-20T17:34:35.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43731 (GCVE-0-2023-43731)
Vulnerability from nvd – Published: 2023-09-30 21:55 – Updated: 2024-09-20 17:40
VLAI
Title
Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)
Summary
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.
This vulnerability allows attackers to inject JS through the "zone_name" parameter,
potentially leading to unauthorized execution of scripts within a user's web browser.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Os Commerce | Os Commerce |
Affected:
4.12.56860
|
Date Public
2023-09-30 21:51
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.838Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oscommerce.com/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43731",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T17:35:32.318840Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T17:40:56.359Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Os Commerce",
"vendor": "Os Commerce",
"versions": [
{
"status": "affected",
"version": "4.12.56860"
}
]
}
],
"datePublic": "2023-09-30T21:51:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\u003cbr\u003eThis vulnerability allows attackers to inject JS through the \"\u003cspan style=\"background-color: var(--wht);\"\u003ezone_name\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\" parameter,\u003c/span\u003e\u003cbr\u003epotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\nThis vulnerability allows attackers to inject JS through the \"zone_name\" parameter,\npotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-06T16:00:28.190Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"url": "https://www.oscommerce.com/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2023-43731",
"datePublished": "2023-09-30T21:55:02.197Z",
"dateReserved": "2023-09-21T18:56:56.249Z",
"dateUpdated": "2024-09-20T17:40:56.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43730 (GCVE-0-2023-43730)
Vulnerability from nvd – Published: 2023-09-30 21:54 – Updated: 2024-09-20 18:26
VLAI
Title
Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)
Summary
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.
This vulnerability allows attackers to inject JS through the "countries_name[1]" parameter,
potentially leading to unauthorized execution of scripts within a user's web browser.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Os Commerce | Os Commerce |
Affected:
4.12.56860
|
Date Public
2023-09-30 21:49
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.855Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oscommerce.com/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43730",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T18:26:18.964875Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T18:26:39.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Os Commerce",
"vendor": "Os Commerce",
"versions": [
{
"status": "affected",
"version": "4.12.56860"
}
]
}
],
"datePublic": "2023-09-30T21:49:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\u003cbr\u003eThis vulnerability allows attackers to inject JS through the \"\u003cspan style=\"background-color: var(--wht);\"\u003ecountries_name[1]\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\" parameter,\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003c/span\u003epotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\nThis vulnerability allows attackers to inject JS through the \"countries_name[1]\" parameter,\npotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-06T16:00:13.738Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"url": "https://www.oscommerce.com/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2023-43730",
"datePublished": "2023-09-30T21:54:56.293Z",
"dateReserved": "2023-09-21T18:56:56.249Z",
"dateUpdated": "2024-09-20T18:26:39.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43729 (GCVE-0-2023-43729)
Vulnerability from nvd – Published: 2023-09-30 21:54 – Updated: 2024-09-20 18:44
VLAI
Title
Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)
Summary
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.
This vulnerability allows attackers to inject JS through the "xsell_type_name[1]" parameter,
potentially leading to unauthorized execution of scripts within a user's web browser.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Os Commerce | Os Commerce |
Affected:
4.12.56860
|
Date Public
2023-09-30 21:45
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.804Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oscommerce.com/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43729",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T18:43:59.850181Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T18:44:25.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Os Commerce",
"vendor": "Os Commerce",
"versions": [
{
"status": "affected",
"version": "4.12.56860"
}
]
}
],
"datePublic": "2023-09-30T21:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\u003cbr\u003eThis vulnerability allows attackers to inject JS through the \"\u003cspan style=\"background-color: var(--wht);\"\u003exsell_type_name[1]\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\" parameter,\u003c/span\u003e\u003cbr\u003epotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\nThis vulnerability allows attackers to inject JS through the \"xsell_type_name[1]\" parameter,\npotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-06T15:59:59.789Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"url": "https://www.oscommerce.com/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2023-43729",
"datePublished": "2023-09-30T21:54:54.245Z",
"dateReserved": "2023-09-21T18:56:56.248Z",
"dateUpdated": "2024-09-20T18:44:25.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43728 (GCVE-0-2023-43728)
Vulnerability from nvd – Published: 2023-09-30 21:54 – Updated: 2024-09-20 18:45
VLAI
Title
Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)
Summary
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.
This vulnerability allows attackers to inject JS through the "stock_delivery_terms_text[1]" parameter,
potentially leading to unauthorized execution of scripts within a user's web browser.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Os Commerce | Os Commerce |
Affected:
4.12.56860
|
Date Public
2023-09-30 21:41
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:44.215Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oscommerce.com/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43728",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T18:45:28.162325Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T18:45:57.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Os Commerce",
"vendor": "Os Commerce",
"versions": [
{
"status": "affected",
"version": "4.12.56860"
}
]
}
],
"datePublic": "2023-09-30T21:41:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\u003cbr\u003eThis vulnerability allows attackers to inject JS through the \"\u003cspan style=\"background-color: var(--wht);\"\u003estock_delivery_terms_text[1]\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\" parameter,\u003c/span\u003e\u003cbr\u003epotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\nThis vulnerability allows attackers to inject JS through the \"stock_delivery_terms_text[1]\" parameter,\npotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-06T15:59:45.246Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"url": "https://www.oscommerce.com/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2023-43728",
"datePublished": "2023-09-30T21:54:51.931Z",
"dateReserved": "2023-09-21T18:56:56.248Z",
"dateUpdated": "2024-09-20T18:45:57.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43727 (GCVE-0-2023-43727)
Vulnerability from nvd – Published: 2023-09-30 21:54 – Updated: 2024-09-20 18:46
VLAI
Title
Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)
Summary
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.
This vulnerability allows attackers to inject JS through the "stock_indication_text[1]" parameter,
potentially leading to unauthorized execution of scripts within a user's web browser.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Os Commerce | Os Commerce |
Affected:
4.12.56860
|
Date Public
2023-09-30 21:40
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:44.087Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oscommerce.com/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T18:46:37.206541Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T18:46:56.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Os Commerce",
"vendor": "Os Commerce",
"versions": [
{
"status": "affected",
"version": "4.12.56860"
}
]
}
],
"datePublic": "2023-09-30T21:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\u003cbr\u003eThis vulnerability allows attackers to inject JS through the \"\u003cspan style=\"background-color: var(--wht);\"\u003estock_indication_text[1]\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\" parameter,\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003c/span\u003epotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\nThis vulnerability allows attackers to inject JS through the \"stock_indication_text[1]\" parameter,\npotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-06T15:59:28.878Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"url": "https://www.oscommerce.com/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2023-43727",
"datePublished": "2023-09-30T21:54:50.111Z",
"dateReserved": "2023-09-21T18:56:56.248Z",
"dateUpdated": "2024-09-20T18:46:56.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43726 (GCVE-0-2023-43726)
Vulnerability from nvd – Published: 2023-09-30 21:39 – Updated: 2024-09-20 19:03
VLAI
Title
Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)
Summary
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.
This vulnerability allows attackers to inject JS through the "orders_products_status_manual_name_long[1]" parameter,
potentially leading to unauthorized execution of scripts within a user's web browser.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Os Commerce | Os Commerce |
Affected:
4.12.56860
|
Date Public
2023-09-30 21:37
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:44.179Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oscommerce.com/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43726",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T19:02:46.734345Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T19:03:08.882Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Os Commerce",
"vendor": "Os Commerce",
"versions": [
{
"status": "affected",
"version": "4.12.56860"
}
]
}
],
"datePublic": "2023-09-30T21:37:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\u003cbr\u003eThis vulnerability allows attackers to inject JS through the \"\u003cspan style=\"background-color: var(--wht);\"\u003eorders_products_status_manual_name_long[1]\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\" parameter,\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003c/span\u003epotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"value": "Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.\nThis vulnerability allows attackers to inject JS through the \"orders_products_status_manual_name_long[1]\" parameter,\npotentially leading to unauthorized execution of scripts within a user\u0027s web browser."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-08T15:37:34.066Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://fluidattacks.com/advisories/bts/"
},
{
"url": "https://www.oscommerce.com/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2023-43726",
"datePublished": "2023-09-30T21:39:32.146Z",
"dateReserved": "2023-09-21T18:56:56.248Z",
"dateUpdated": "2024-09-20T19:03:08.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-25497 (GCVE-0-2019-25497)
Vulnerability from cvelistv5 – Published: 2026-02-27 17:23 – Updated: 2026-04-07 14:04
VLAI
Title
osCommerce 2.3.4.1 SQL Injection via currency Parameter
Summary
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. Attackers can send GET requests to shopping_cart.php with malicious currency values using boolean-based SQL injection payloads to extract sensitive database information.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/46328 | exploit |
| https://www.oscommerce.com | product |
| https://www.vulncheck.com/advisories/oscommerce-s… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Oscommerce | osCommerce |
Affected:
2.3.4.1
|
Date Public
2019-02-06 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-25497",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:21:44.856726Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:21:53.283Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "osCommerce",
"vendor": "Oscommerce",
"versions": [
{
"status": "affected",
"version": "2.3.4.1"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oscommerce:oscommerce:4.0:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mehmet EMIROGLU"
}
],
"datePublic": "2019-02-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. Attackers can send GET requests to shopping_cart.php with malicious currency values using boolean-based SQL injection payloads to extract sensitive database information."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:04:45.609Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46328",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46328"
},
{
"name": "osCommerce Official Website",
"tags": [
"product"
],
"url": "https://www.oscommerce.com"
},
{
"name": "VulnCheck Advisory: osCommerce 2.3.4.1 SQL Injection via currency Parameter",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/oscommerce-sql-injection-via-currency-parameter"
}
],
"title": "osCommerce 2.3.4.1 SQL Injection via currency Parameter",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25497",
"datePublished": "2026-02-27T17:23:38.536Z",
"dateReserved": "2026-02-27T17:18:18.855Z",
"dateUpdated": "2026-04-07T14:04:45.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25496 (GCVE-0-2019-25496)
Vulnerability from cvelistv5 – Published: 2026-02-27 17:23 – Updated: 2026-04-07 14:04
VLAI
Title
osCommerce 2.3.4.1 SQL Injection via products_id Parameter
Summary
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the products_id parameter. Attackers can modify the products_id value in product_info.php requests and append boolean-based SQL injection payloads to extract sensitive database information.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/46329 | exploit |
| https://www.oscommerce.com | product |
| https://www.vulncheck.com/advisories/oscommerce-s… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Oscommerce | osCommerce |
Affected:
2.3.4.1
|
Date Public
2019-02-06 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-25496",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:22:18.810445Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:22:26.478Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "osCommerce",
"vendor": "Oscommerce",
"versions": [
{
"status": "affected",
"version": "2.3.4.1"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oscommerce:oscommerce:4.0:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mehmet EMIROGLU"
}
],
"datePublic": "2019-02-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the products_id parameter. Attackers can modify the products_id value in product_info.php requests and append boolean-based SQL injection payloads to extract sensitive database information."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:04:44.882Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46329",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46329"
},
{
"name": "osCommerce Official Website",
"tags": [
"product"
],
"url": "https://www.oscommerce.com"
},
{
"name": "VulnCheck Advisory: osCommerce 2.3.4.1 SQL Injection via products_id Parameter",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/oscommerce-sql-injection-via-productsid-parameter"
}
],
"title": "osCommerce 2.3.4.1 SQL Injection via products_id Parameter",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25496",
"datePublished": "2026-02-27T17:23:37.732Z",
"dateReserved": "2026-02-27T17:18:08.829Z",
"dateUpdated": "2026-04-07T14:04:44.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25495 (GCVE-0-2019-25495)
Vulnerability from cvelistv5 – Published: 2026-02-27 17:23 – Updated: 2026-04-07 14:04
VLAI
Title
osCommerce 2.3.4.1 SQL Injection via reviews_id Parameter
Summary
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviews_id parameter. Attackers can send GET requests to product_reviews_write.php with malicious reviews_id values using boolean-based SQL injection payloads to extract sensitive database information.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/46330 | exploit |
| https://www.oscommerce.com | product |
| https://www.vulncheck.com/advisories/oscommerce-s… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Oscommerce | osCommerce |
Affected:
2.3.4.1
|
Date Public
2019-02-06 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-25495",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:25:52.208291Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:26:12.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "osCommerce",
"vendor": "Oscommerce",
"versions": [
{
"status": "affected",
"version": "2.3.4.1"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oscommerce:oscommerce:4.0:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mehmet EMIROGLU"
}
],
"datePublic": "2019-02-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviews_id parameter. Attackers can send GET requests to product_reviews_write.php with malicious reviews_id values using boolean-based SQL injection payloads to extract sensitive database information."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:04:44.088Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46330",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46330"
},
{
"name": "osCommerce Official Website",
"tags": [
"product"
],
"url": "https://www.oscommerce.com"
},
{
"name": "VulnCheck Advisory: osCommerce 2.3.4.1 SQL Injection via reviews_id Parameter",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/oscommerce-sql-injection-via-reviewsid-parameter"
}
],
"title": "osCommerce 2.3.4.1 SQL Injection via reviews_id Parameter",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25495",
"datePublished": "2026-02-27T17:23:36.955Z",
"dateReserved": "2026-02-27T17:17:58.726Z",
"dateUpdated": "2026-04-07T14:04:44.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2009-20006 (GCVE-0-2009-20006)
Vulnerability from cvelistv5 – Published: 2025-09-16 14:33 – Updated: 2026-05-15 11:13
VLAI
Title
osCommerce <= 2.2 Admin File Manager Arbitrary PHP Code Execution
Summary
osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to upload a .php file containing arbitrary code, which is then executed by the server.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://raw.githubusercontent.com/rapid7/metasplo… | exploit |
| https://www.exploit-db.com/exploits/9556 | exploit |
| https://www.exploit-db.com/exploits/16899 | exploit |
| https://www.oscommerce.com/ | product |
| https://www.vulncheck.com/advisories/oscommerce-a… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| osCommerce | osCommerce |
Affected:
0 , ≤ 2.2 RC2a
(custom)
|
Date Public
2009-08-31 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2009-20006",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T18:17:27.036021Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T18:17:29.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/16899"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/9556"
},
{
"tags": [
"exploit"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/oscommerce_filemanager.rb"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"admin/file_manager.php"
],
"product": "osCommerce",
"vendor": "osCommerce",
"versions": [
{
"lessThanOrEqual": "2.2 RC2a",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oscommerce:oscommerce:2.2:*:*:*:*:*:*:*",
"versionEndIncluding": "rc_2a",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "flyh4t"
}
],
"datePublic": "2009-08-31T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to upload a .php file containing arbitrary code, which is then executed by the server."
}
],
"value": "osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to upload a .php file containing arbitrary code, which is then executed by the server."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T11:13:15.916Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/oscommerce_filemanager.rb"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/9556"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/16899"
},
{
"tags": [
"product"
],
"url": "https://www.oscommerce.com/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/oscommerce-arbitrary-php-code-execution"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "osCommerce \u003c= 2.2 Admin File Manager Arbitrary PHP Code Execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2009-20006",
"datePublished": "2025-09-16T14:33:40.335Z",
"dateReserved": "2025-08-27T18:34:34.964Z",
"dateUpdated": "2026-05-15T11:13:15.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40674 (GCVE-0-2025-40674)
Vulnerability from cvelistv5 – Published: 2025-06-17 08:50 – Updated: 2025-06-17 14:31
VLAI
Title
Reflected Cross-Site Scripting (XSS) in osCommerce
Summary
Reflected Cross-Site Scripting (XSS) in osCommerce v4. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the name of any parameter in /watch/en/about-us. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| osCommerce | osCommerce |
Affected:
v4
|
Date Public
2025-06-16 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-40674",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T14:29:04.792133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T14:31:48.511Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "osCommerce",
"vendor": "osCommerce",
"versions": [
{
"status": "affected",
"version": "v4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gonzalo Aguilar Garc\u00eda (6h4ack)"
}
],
"datePublic": "2025-06-16T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Reflected Cross-Site Scripting (XSS) in osCommerce v4. This vulnerability allows an attacker to execute JavaScript code in the victim\u0027s browser by sending the victim a malicious URL using the name of any parameter in /watch/en/about-us. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user."
}
],
"value": "Reflected Cross-Site Scripting (XSS) in osCommerce v4. This vulnerability allows an attacker to execute JavaScript code in the victim\u0027s browser by sending the victim a malicious URL using the name of any parameter in /watch/en/about-us. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T08:50:17.363Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-oscommerce"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is no reported solution at this time.\u003cbr\u003e"
}
],
"value": "There is no reported solution at this time."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Reflected Cross-Site Scripting (XSS) in osCommerce",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-40674",
"datePublished": "2025-06-17T08:50:17.363Z",
"dateReserved": "2025-04-16T08:38:14.999Z",
"dateUpdated": "2025-06-17T14:31:48.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22724 (GCVE-0-2024-22724)
Vulnerability from cvelistv5 – Published: 2024-03-21 00:00 – Updated: 2024-08-06 14:32
VLAI
Summary
An issue was discovered in osCommerce v4, allows local attackers to bypass file upload restrictions and execute arbitrary code via administrator profile photo upload feature.
Severity
6.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| oscommerce | oscommerce |
Affected:
v4
cpe:2.3:a:oscommerce:oscommerce:-:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:51:11.101Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://medium.com/%40cupc4k3/oscommerce-v4-rce-unveiling-the-file-upload-bypass-threat-f1ac0097880c"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/osCommerce/osCommerce-V4/issues/62"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:oscommerce:oscommerce:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "oscommerce",
"vendor": "oscommerce",
"versions": [
{
"status": "affected",
"version": "v4"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-22724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-06T14:02:53.543373Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T14:32:24.651Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in osCommerce v4, allows local attackers to bypass file upload restrictions and execute arbitrary code via administrator profile photo upload feature."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-21T03:32:39.582Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://medium.com/%40cupc4k3/oscommerce-v4-rce-unveiling-the-file-upload-bypass-threat-f1ac0097880c"
},
{
"url": "https://github.com/osCommerce/osCommerce-V4/issues/62"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-22724",
"datePublished": "2024-03-21T00:00:00.000Z",
"dateReserved": "2024-01-11T00:00:00.000Z",
"dateUpdated": "2024-08-06T14:32:24.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6609 (GCVE-0-2023-6609)
Vulnerability from cvelistv5 – Published: 2023-12-08 14:31 – Updated: 2024-08-02 08:35
VLAI
Title
osCommerce all-products cross site scripting
Summary
A vulnerability was found in osCommerce 4. It has been classified as problematic. This affects an unknown part of the file /b2b-supermarket/catalog/all-products. The manipulation of the argument keywords with the input %27%22%3E%3Cimg%2Fsrc%3D1+onerror%3Dalert%28document.cookie%29%3E leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247245 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity
CWE
- CWE-79 - Cross Site Scripting
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.247245 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.247245 | signaturepermissions-required |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | osCommerce |
Affected:
4
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.822Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.247245"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.247245"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "osCommerce",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "xfwang (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in osCommerce 4. It has been classified as problematic. This affects an unknown part of the file /b2b-supermarket/catalog/all-products. The manipulation of the argument keywords with the input %27%22%3E%3Cimg%2Fsrc%3D1+onerror%3Dalert%28document.cookie%29%3E leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247245 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in osCommerce 4 ausgemacht. Sie wurde als problematisch eingestuft. Es betrifft eine unbekannte Funktion der Datei /b2b-supermarket/catalog/all-products. Durch das Beeinflussen des Arguments keywords mit der Eingabe %27%22%3E%3Cimg%2Fsrc%3D1+onerror%3Dalert%28document.cookie%29%3E mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-08T14:31:05.304Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.247245"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.247245"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-08T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-12-08T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-12-08T09:08:09.000Z",
"value": "VulDB entry last update"
}
],
"title": "osCommerce all-products cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-6609",
"datePublished": "2023-12-08T14:31:05.304Z",
"dateReserved": "2023-12-08T08:02:56.375Z",
"dateUpdated": "2024-08-02T08:35:14.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6579 (GCVE-0-2023-6579)
Vulnerability from cvelistv5 – Published: 2023-12-07 21:31 – Updated: 2025-02-13 17:26
VLAI
Title
osCommerce POST Parameter shopping-cart sql injection
Summary
A vulnerability, which was classified as critical, has been found in osCommerce 4. Affected by this issue is some unknown functionality of the file /b2b-supermarket/shopping-cart of the component POST Parameter Handler. The manipulation of the argument estimate[country_id] leads to sql injection. The attack may be launched remotely. The identifier of this vulnerability is VDB-247160. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity
7.3 (High)
7.3 (High)
CWE
- CWE-89 - SQL Injection
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.247160 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.247160 | signaturepermissions-required |
| http://packetstormsecurity.com/files/176124/osCom… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | osCommerce |
Affected:
4
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.684Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.247160"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.247160"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/176124/osCommerce-4-SQL-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"POST Parameter Handler"
],
"product": "osCommerce",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "skalvin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as critical, has been found in osCommerce 4. Affected by this issue is some unknown functionality of the file /b2b-supermarket/shopping-cart of the component POST Parameter Handler. The manipulation of the argument estimate[country_id] leads to sql injection. The attack may be launched remotely. The identifier of this vulnerability is VDB-247160. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine kritische Schwachstelle wurde in osCommerce 4 entdeckt. Davon betroffen ist unbekannter Code der Datei /b2b-supermarket/shopping-cart der Komponente POST Parameter Handler. Dank Manipulation des Arguments estimate[country_id] mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-08T17:06:19.162Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.247160"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.247160"
},
{
"url": "http://packetstormsecurity.com/files/176124/osCommerce-4-SQL-Injection.html"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-07T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-12-07T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-12-07T14:08:19.000Z",
"value": "VulDB entry last update"
}
],
"title": "osCommerce POST Parameter shopping-cart sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-6579",
"datePublished": "2023-12-07T21:31:04.204Z",
"dateReserved": "2023-12-07T13:03:04.194Z",
"dateUpdated": "2025-02-13T17:26:27.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6296 (GCVE-0-2023-6296)
Vulnerability from cvelistv5 – Published: 2023-11-26 21:31 – Updated: 2025-02-13 17:26
VLAI
Title
osCommerce Instant Message compare cross site scripting
Summary
A vulnerability was found in osCommerce 4. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /catalog/compare of the component Instant Message Handler. The manipulation of the argument compare with the input 40dz4iq"><script>alert(1)</script>zohkx leads to cross site scripting. The attack may be launched remotely. VDB-246122 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity
4.3 (Medium)
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross Site Scripting
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.246122 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.246122 | signaturepermissions-required |
| http://packetstormsecurity.com/files/175925/osCom… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | osCommerce |
Affected:
4
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:28:20.954Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.246122"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.246122"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/175925/osCommerce-4-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6296",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T15:30:54.965241Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T15:35:06.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Instant Message Handler"
],
"product": "osCommerce",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "skalvin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in osCommerce 4. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /catalog/compare of the component Instant Message Handler. The manipulation of the argument compare with the input 40dz4iq\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003ezohkx leads to cross site scripting. The attack may be launched remotely. VDB-246122 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine problematische Schwachstelle wurde in osCommerce 4 ausgemacht. Dies betrifft einen unbekannten Teil der Datei /catalog/compare der Komponente Instant Message Handler. Durch Manipulieren des Arguments compare mit der Eingabe 40dz4iq\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003ezohkx mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-27T17:06:15.658Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.246122"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.246122"
},
{
"url": "http://packetstormsecurity.com/files/175925/osCommerce-4-Cross-Site-Scripting.html"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-11-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-11-26T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-11-26T08:25:56.000Z",
"value": "VulDB entry last update"
}
],
"title": "osCommerce Instant Message compare cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-6296",
"datePublished": "2023-11-26T21:31:04.142Z",
"dateReserved": "2023-11-26T07:20:43.976Z",
"dateUpdated": "2025-02-13T17:26:16.997Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}