Search criteria
54 vulnerabilities found for cs-cart by cs-cart
FKIE_CVE-2025-50850
Vulnerability from fkie_nvd - Published: 2025-07-31 16:15 - Updated: 2025-08-06 16:34
Severity ?
Summary
An issue was discovered in CS Cart 4.18.3 allows the vendor login functionality lacks essential security controls such as CAPTCHA verification and rate limiting. This allows an attacker to systematically attempt various combinations of usernames and passwords (brute-force attack) to gain unauthorized access to vendor accounts. The absence of any blocking mechanism makes the login endpoint susceptible to automated attacks.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://cs.com | Not Applicable | |
| cve@mitre.org | https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50850.md | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.18.3:*:*:*:*:*:*:*",
"matchCriteriaId": "697E87F8-685B-468D-8876-535E807BA897",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in CS Cart 4.18.3 allows the vendor login functionality lacks essential security controls such as CAPTCHA verification and rate limiting. This allows an attacker to systematically attempt various combinations of usernames and passwords (brute-force attack) to gain unauthorized access to vendor accounts. The absence of any blocking mechanism makes the login endpoint susceptible to automated attacks."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en CS Cart 4.18.3 que permite que la funci\u00f3n de inicio de sesi\u00f3n del proveedor carezca de controles de seguridad esenciales, como la verificaci\u00f3n CAPTCHA y la limitaci\u00f3n de velocidad. Esto permite que un atacante intente sistem\u00e1ticamente diversas combinaciones de nombres de usuario y contrase\u00f1as (ataque de fuerza bruta) para obtener acceso no autorizado a las cuentas del proveedor. La ausencia de cualquier mecanismo de bloqueo hace que el endpoint de inicio de sesi\u00f3n sea vulnerable a ataques automatizados."
}
],
"id": "CVE-2025-50850",
"lastModified": "2025-08-06T16:34:48.977",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-07-31T16:15:31.163",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "http://cs.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50850.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
},
{
"lang": "en",
"value": "CWE-804"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-50848
Vulnerability from fkie_nvd - Published: 2025-07-31 16:15 - Updated: 2025-08-06 16:35
Severity ?
Summary
A file upload vulnerability was discovered in CS Cart 4.18.3, allows attackers to execute arbitrary code. CS Cart 4.18.3 allows unrestricted upload of HTML files, which are rendered directly in the browser when accessed. This allows an attacker to upload a crafted HTML file containing malicious content, such as a fake login form for credential harvesting or scripts for Cross-Site Scripting (XSS) attacks. Since the content is served from a trusted domain, it significantly increases the likelihood of successful phishing or script execution against other users.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://cs.com | Not Applicable | |
| cve@mitre.org | https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50848.md | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.18.3:*:*:*:*:*:*:*",
"matchCriteriaId": "697E87F8-685B-468D-8876-535E807BA897",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A file upload vulnerability was discovered in CS Cart 4.18.3, allows attackers to execute arbitrary code. CS Cart 4.18.3 allows unrestricted upload of HTML files, which are rendered directly in the browser when accessed. This allows an attacker to upload a crafted HTML file containing malicious content, such as a fake login form for credential harvesting or scripts for Cross-Site Scripting (XSS) attacks. Since the content is served from a trusted domain, it significantly increases the likelihood of successful phishing or script execution against other users."
},
{
"lang": "es",
"value": "Se descubri\u00f3 una vulnerabilidad de carga de archivos en CS Cart 4.18.3 que permite a los atacantes ejecutar c\u00f3digo arbitrario. CS Cart 4.18.3 permite la carga sin restricciones de archivos HTML, que se muestran directamente en el navegador al acceder a ellos. Esto permite a un atacante cargar un archivo HTML manipulado con contenido malicioso, como un formulario de inicio de sesi\u00f3n falso para la recolecci\u00f3n de credenciales o scripts para ataques de Cross-site Scripting (XSS). Dado que el contenido se distribuye desde un dominio de confianza, aumenta significativamente la probabilidad de phishing o ejecuci\u00f3n de scripts contra otros usuarios."
}
],
"id": "CVE-2025-50848",
"lastModified": "2025-08-06T16:35:06.037",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-07-31T16:15:30.843",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "http://cs.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50848.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-50847
Vulnerability from fkie_nvd - Published: 2025-07-31 16:15 - Updated: 2025-08-06 16:36
Severity ?
Summary
Cross Site Request Forgery (CSRF) vulnerability in CS Cart 4.18.3, allows attackers to add products to a user's comparison list via a crafted HTTP request.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://cs.com | Not Applicable | |
| cve@mitre.org | https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50847.md | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.18.3:*:*:*:*:*:*:*",
"matchCriteriaId": "697E87F8-685B-468D-8876-535E807BA897",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Request Forgery (CSRF) vulnerability in CS Cart 4.18.3, allows attackers to add products to a user\u0027s comparison list via a crafted HTTP request."
},
{
"lang": "es",
"value": "La vulnerabilidad de Cross Site Request Forgery (CSRF) en CS Cart 4.18.3 permite a los atacantes agregar productos a la lista de comparaci\u00f3n de un usuario a trav\u00e9s de una solicitud HTTP manipulada."
}
],
"id": "CVE-2025-50847",
"lastModified": "2025-08-06T16:36:17.257",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-07-31T16:15:30.683",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "http://cs.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50847.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2021-32202
Vulnerability from fkie_nvd - Published: 2021-09-14 12:15 - Updated: 2024-11-21 06:06
Severity ?
Summary
In CS-Cart version 4.11.1, it is possible to induce copy-paste XSS by manipulating the "post description" filed in the blog post creation page.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/l00neyhacker/CVE-2021-32202 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/l00neyhacker/CVE-2021-32202 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "40BACF85-E13D-46C8-BA41-AC4BC414CBBF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In CS-Cart version 4.11.1, it is possible to induce copy-paste XSS by manipulating the \"post description\" filed in the blog post creation page."
},
{
"lang": "es",
"value": "En CS-Cart versi\u00f3n 4.11.1, es posible inducir un ataque de tipo XSS de tipo copy-paste al manipular el archivo \"post description\" en la p\u00e1gina de creaci\u00f3n de posts"
}
],
"id": "CVE-2021-32202",
"lastModified": "2024-11-21T06:06:54.120",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-14T12:15:08.727",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/l00neyhacker/CVE-2021-32202"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/l00neyhacker/CVE-2021-32202"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-15673
Vulnerability from fkie_nvd - Published: 2017-11-28 15:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP code via vectors involving a custom page.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/145096/CSC-Cart-4.6.2-Shell-Upload.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/145096/CSC-Cart-4.6.2-Shell-Upload.html | Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:*:*:*:*:*:*:*:*",
"matchCriteriaId": "469021A1-1D58-45D5-9BC9-0A5656D0F71D",
"versionEndIncluding": "4.6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP code via vectors involving a custom page."
},
{
"lang": "es",
"value": "La funci\u00f3n files en la secci\u00f3n de administraci\u00f3n en CS-Cart 4.6.2 y anteriores permite que atacantes ejecuten c\u00f3digo PHP arbitrario mediante vectores relacionados con una p\u00e1gina personalizada."
}
],
"id": "CVE-2017-15673",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-11-28T15:29:00.197",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/145096/CSC-Cart-4.6.2-Shell-Upload.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/145096/CSC-Cart-4.6.2-Shell-Upload.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-10886
Vulnerability from fkie_nvd - Published: 2017-11-17 14:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows an attacker to inject arbitrary web script or HTML via unspecified vectors.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | http://tips.cs-cart.jp/fix-jvn-29602086.html | Vendor Advisory | |
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN29602086/index.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://tips.cs-cart.jp/fix-jvn-29602086.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN29602086/index.html | Third Party Advisory, VDB Entry |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.0.1:*:*:ja:*:*:*:*",
"matchCriteriaId": "7CEDDB5F-0042-4F91-A374-72F6EA9FE8C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.0.2:*:*:ja:*:*:*:*",
"matchCriteriaId": "09888B17-F813-4B09-971A-5EE64C84B223",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.0.3:*:*:ja:*:*:*:*",
"matchCriteriaId": "A4586C46-0266-4D02-A218-11E9B6C75258",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.1.1:*:*:ja:*:*:*:*",
"matchCriteriaId": "1795D3A8-F3B7-4B00-8221-62F597888DE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.1.2:*:*:ja:*:*:*:*",
"matchCriteriaId": "060D0460-2ECD-41E5-934F-EDC39D75AF28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.1.3:*:*:ja:*:*:*:*",
"matchCriteriaId": "34F92804-A076-4877-A35A-3C6E9ABCC60D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.1.4:*:*:ja:*:*:*:*",
"matchCriteriaId": "5689776B-779D-4C83-B837-FC97F53A3F6B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.2.1:*:*:ja:*:*:*:*",
"matchCriteriaId": "36C1D456-0A84-4A7A-9CDF-CC25013EA2D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.2.2:*:*:ja:*:*:*:*",
"matchCriteriaId": "215F550E-3946-4FC1-A53D-2159FB085C42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.2.3:*:*:ja:*:*:*:*",
"matchCriteriaId": "DEBEC0F2-04BC-4EDC-B406-8566EBA6BFC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.2.4:*:*:ja:*:*:*:*",
"matchCriteriaId": "6696CFF2-8CA3-476C-93C4-26DD2DD03EF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.3.1:*:*:ja:*:*:*:*",
"matchCriteriaId": "1AAFC419-F733-4513-8C91-09752D8D59F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.3.2:*:*:ja:*:*:*:*",
"matchCriteriaId": "42F2E657-E293-4375-A9DA-10427E805A64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.3.3:*:*:ja:*:*:*:*",
"matchCriteriaId": "01132E65-36E4-46BF-92B8-8C650A809C59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.3.4:*:*:ja:*:*:*:*",
"matchCriteriaId": "7B7A9A8F-7429-44C3-92DA-A7FE24731F9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.3.5:*:*:ja:*:*:*:*",
"matchCriteriaId": "AC17365C-07EB-468F-9645-C9F17BE39129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.3.6:*:*:ja:*:*:*:*",
"matchCriteriaId": "44A94CAE-30F6-414E-806B-721FE65AFFCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.3.7:*:*:ja:*:*:*:*",
"matchCriteriaId": "BAA8F0F8-3EB4-4D5E-88E1-F92B8A36977F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.3.8:*:*:ja:*:*:*:*",
"matchCriteriaId": "00CAB998-2FF9-4352-90ED-A6102BFA0223",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.3.9:*:*:ja:*:*:*:*",
"matchCriteriaId": "0E0F42A0-15F9-4587-A608-52D9F9EB18D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.3.10:*:*:ja:*:*:*:*",
"matchCriteriaId": "BA6DD97F-4315-4483-9540-868E4EF479A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.0.1:*:*:ja:*:*:*:*",
"matchCriteriaId": "5ADC7033-B392-46DB-B04B-2B7AB514AFA2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.0.2:*:*:ja:*:*:*:*",
"matchCriteriaId": "D2531207-2B53-4CEF-9724-A3D958DC38D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.0.3:*:*:ja:*:*:*:*",
"matchCriteriaId": "BDC2FD45-31E7-4838-85A9-3C184DDA68C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.1.1:*:*:ja:*:*:*:*",
"matchCriteriaId": "0B3B4C1C-B63E-451D-BC9A-CB45C3A5A4FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.1.2:*:*:ja:*:*:*:*",
"matchCriteriaId": "03A50D9D-4321-48C7-B362-D7D02768E30C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.1.3:*:*:ja:*:*:*:*",
"matchCriteriaId": "178E2618-9FED-452F-B379-36D50D544BC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.1.4:*:*:ja:*:*:*:*",
"matchCriteriaId": "2C822C02-3E28-4412-803D-10F2D5AC4D5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.2.1:*:*:ja:*:*:*:*",
"matchCriteriaId": "5B43CD84-D885-4006-BADA-7E1A3012608C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.2.2:*:*:ja:*:*:*:*",
"matchCriteriaId": "CD843B2F-A3D5-49A5-B9F0-B8FC146931AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.2.3:*:*:ja:*:*:*:*",
"matchCriteriaId": "01C42531-506B-41FF-ADD8-BFE4C492E5D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.2.4:*:*:ja:*:*:*:*",
"matchCriteriaId": "3BE29145-9836-4A10-AF2D-BB1EE63820C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.3.1:*:*:ja:*:*:*:*",
"matchCriteriaId": "8F33ECEC-3011-4131-AE8F-E44DF85F33ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.3.2:*:*:ja:*:*:*:*",
"matchCriteriaId": "4C2FEE8A-DB91-43E6-9DC1-AB78DE23FF81",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.3.3:*:*:ja:*:*:*:*",
"matchCriteriaId": "FD83A201-9C79-47BA-BA15-145A46FEEBEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.3.4:*:*:ja:*:*:*:*",
"matchCriteriaId": "4A03FAC1-4E22-4344-95E1-87A409C98507",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.3.5:*:*:ja:*:*:*:*",
"matchCriteriaId": "1CC2EBD9-05B5-402C-B650-33BB86FC6043",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.3.6:*:*:ja:*:*:*:*",
"matchCriteriaId": "1D9545E8-20E6-46E1-BBDB-662D07DB1E4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.3.7:*:*:ja:*:*:*:*",
"matchCriteriaId": "637065FC-883A-4E51-94B5-8F38F0574BCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.3.8:*:*:ja:*:*:*:*",
"matchCriteriaId": "5EBCC962-D3B4-4588-87EA-988CBD8EE7FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.3.9:*:*:ja:*:*:*:*",
"matchCriteriaId": "39E7A002-9015-4D75-AF02-21964DE6C0EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:4.3.10:*:*:ja:*:*:*:*",
"matchCriteriaId": "14591AE4-58B9-4F71-BA5E-A1C897979A35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows an attacker to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) en CS-Cart Japanese Edition v4.3.10 y versiones anteriores (excepto v2 y v3) y CS-Cart Multivendor Japanese Edition v4.3.10 y versiones anteriores (excepto v2 y v3) que permite que un atacante inyecte scripts web o HTML arbitrarios mediante vectores no especificados."
}
],
"id": "CVE-2017-10886",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-11-17T14:29:00.247",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Vendor Advisory"
],
"url": "http://tips.cs-cart.jp/fix-jvn-29602086.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://jvn.jp/en/jp/JVN29602086/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tips.cs-cart.jp/fix-jvn-29602086.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://jvn.jp/en/jp/JVN29602086/index.html"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-2138
Vulnerability from fkie_nvd - Published: 2017-08-02 16:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows remote attackers to hijack the authentication of administrators via unspecified vectors.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | http://tips.cs-cart.jp/fix-csrf-20170406.html | Vendor Advisory | |
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN87770873/index.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://tips.cs-cart.jp/fix-csrf-20170406.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN87770873/index.html | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cs-cart | cs-cart | * | |
| cs-cart | cs-cart_multivendor | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:*:*:*:*:japanese:*:*:*",
"matchCriteriaId": "E8652FFE-26AB-4CEC-8411-41932837AA7D",
"versionEndIncluding": "4.3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart_multivendor:*:*:*:*:japanese:*:*:*",
"matchCriteriaId": "C81B130D-46A0-4B66-9A20-BDF9FFE97E56",
"versionEndIncluding": "4.3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows remote attackers to hijack the authentication of administrators via unspecified vectors."
},
{
"lang": "es",
"value": "Se ha encontrado una vulnerabilidad de tipo cross-site request forgery (CSRF) en CS-Cart Japanese Edition v4.3.10 y versiones anteriores (excepto v2 y v3); y CS-Cart Multivendor Japanese Edition v4.3.10 y versiones anteriores (excepto v2 y v3). Esta vulnerabilidad permite que los atacantes puedan apropiarse de la autenticaci\u00f3n de los administradores utilizando vectores no especificados."
}
],
"id": "CVE-2017-2138",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-02T16:29:00.283",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Vendor Advisory"
],
"url": "http://tips.cs-cart.jp/fix-csrf-20170406.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://jvn.jp/en/jp/JVN87770873/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://tips.cs-cart.jp/fix-csrf-20170406.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://jvn.jp/en/jp/JVN87770873/index.html"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2016-4862
Vulnerability from fkie_nvd - Published: 2017-04-20 18:59 - Updated: 2025-04-20 01:37
Severity ?
Summary
Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | http://jvn.jp/en/jp/JVN55389065/index.html | Third Party Advisory, VDB Entry | |
| vultures@jpcert.or.jp | http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000157.html | Third Party Advisory, VDB Entry | |
| vultures@jpcert.or.jp | http://tips.cs-cart.jp/fix-twigmo-vulnerability-20160914.html | Patch, Vendor Advisory | |
| vultures@jpcert.or.jp | http://www.securityfocus.com/bid/92992 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://jvn.jp/en/jp/JVN55389065/index.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000157.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://tips.cs-cart.jp/fix-twigmo-vulnerability-20160914.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/92992 | Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BFE1A4BE-7D37-48F8-92D9-32D44102649B",
"versionEndIncluding": "4.3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:*:*:*:*:marketplace:*:*:*",
"matchCriteriaId": "825F0BB4-A1AA-4125-87D4-A423DB3DC6BA",
"versionEndIncluding": "4.3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers."
},
{
"lang": "es",
"value": "Instalador Twigmo con CS-Cart 4.3.9 y en versiones anteriores e instalador Twigmo con CS-Cart Multi-Vendor 4.3.9 y en versiones anteriores permite a usuarios remotos autenticados ejecutar c\u00f3digo arbitrario PHP en los servidores."
}
],
"id": "CVE-2016-4862",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-20T18:59:00.763",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvn.jp/en/jp/JVN55389065/index.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000157.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tips.cs-cart.jp/fix-twigmo-vulnerability-20160914.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92992"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvn.jp/en/jp/JVN55389065/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000157.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://tips.cs-cart.jp/fix-twigmo-vulnerability-20160914.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92992"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-2701
Vulnerability from fkie_nvd - Published: 2015-03-25 14:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of users for requests that change a user password via a request to profiles-update/.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E16961-5642-4834-9267-BE3FAB7CE26F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of users for requests that change a user password via a request to profiles-update/."
},
{
"lang": "es",
"value": "Vulnerabilidad de CSRF en CS-Cart 4.2.4 permite a atacantes remotos secuestrar la autenticaci\u00f3n de usuarios para solicitudes que cambian una contrase\u00f1a de usuario a trav\u00e9s de una solicitud a profiles-update/."
}
],
"id": "CVE-2015-2701",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-03-25T14:59:06.453",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/show/osvdb/119632"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/36358"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/72658"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/show/osvdb/119632"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/36358"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/72658"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2013-7317
Vulnerability from fkie_nvd - Published: 2014-01-24 15:08 - Updated: 2025-04-11 00:51
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) settings_file or (2) data_file parameter to (a) ampie.swf, (b) amline.swf, or (c) amcolumn.swf.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://www.kb.cert.org/vuls/id/405942 | US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.kb.cert.org/vuls/id/405942 | US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cs-cart | cs-cart | * | |
| cs-cart | cs-cart | 1.3.0 | |
| cs-cart | cs-cart | 1.3.2 | |
| cs-cart | cs-cart | 1.3.3 | |
| cs-cart | cs-cart | 1.3.4 | |
| cs-cart | cs-cart | 2.0 | |
| cs-cart | cs-cart | 2.0.5 | |
| cs-cart | cs-cart | 2.0.6 | |
| cs-cart | cs-cart | 2.0.7 | |
| cs-cart | cs-cart | 2.0.8 | |
| cs-cart | cs-cart | 2.0.9 | |
| cs-cart | cs-cart | 2.0.10 | |
| cs-cart | cs-cart | 2.0.11 | |
| cs-cart | cs-cart | 2.0.12 | |
| cs-cart | cs-cart | 2.0.13 | |
| cs-cart | cs-cart | 2.0.14 | |
| cs-cart | cs-cart | 2.0.15 | |
| cs-cart | cs-cart | 2.1 | |
| cs-cart | cs-cart | 2.1.1 | |
| cs-cart | cs-cart | 2.1.2 | |
| cs-cart | cs-cart | 2.1.3 | |
| cs-cart | cs-cart | 2.1.4 | |
| cs-cart | cs-cart | 2.2.1 | |
| cs-cart | cs-cart | 2.2.2 | |
| cs-cart | cs-cart | 2.2.3 | |
| cs-cart | cs-cart | 2.2.4 | |
| cs-cart | cs-cart | 2.2.5 | |
| cs-cart | cs-cart | 3.0 | |
| cs-cart | cs-cart | 3.0.2 | |
| cs-cart | cs-cart | 3.0.3 | |
| cs-cart | cs-cart | 3.0.4 | |
| cs-cart | cs-cart | 3.0.5 | |
| cs-cart | cs-cart | 3.0.6 | |
| cs-cart | cs-cart | 4.0 | |
| cs-cart | cs-cart | 4.0.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5457E337-5FDE-4EAC-B4A9-F32C02B93EC3",
"versionEndIncluding": "4.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4EA28C65-C87E-47B9-AEB2-A2007851A2DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "2560C3BF-C7DC-4645-B278-F86658660ADE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:1.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "48662D7D-F946-45A4-AC02-0A25168154E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:1.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "69BFEF50-A4AE-4F21-A95F-0DB220E0646C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "24A42E28-C26D-45EF-AAE4-DACFB5985F9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "3A79978F-42B3-4A3F-BFB0-E473DCF4A7E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "85082B70-6B99-419D-B997-000A874DECE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "CE709E67-54A6-49CA-B39A-C7A3505C9FD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "C4E9A619-70D3-43E1-8FBD-68EDD5A0BB77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "EB8112B0-6D7B-4F5F-9BBA-14569AC2BFA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "D937903E-EB19-4128-9B34-0828AE74CFAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "11B8D296-C729-400C-8421-08DC98FE4BA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "5AD16058-552D-46BD-BC7E-7D75CCA3037E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "93144EE9-58DF-4BB6-8FAC-9FD95DF95100",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "45774F49-B37E-480C-94F0-278989392C9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "FFB4667A-CB3E-4E1D-B90B-CB2EB5142925",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CD6CF3A4-EE73-4CE6-A298-1D9154428256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1391D8DB-3F10-45A2-97EE-A673EF589C7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EC146FFC-A389-4652-A7D8-B4069FBF13F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "B4EAC9A8-6717-4B15-A241-33F59F9CBD05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "5F429C2E-07A5-401B-BCA6-DFB73D684B34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "581B4B82-A207-42A3-ADD9-BC457C131B2B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DBF00DF1-E596-4860-87E7-1D6204548B1E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "818EBABA-2C78-4B90-A64B-CD80878F9904",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F577A6F2-EDE2-4543-8EF6-9B0E68BAFBA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:2.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "B0F1C5BF-C2B1-4AA2-B643-E472B64EEA49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "52F3E4CE-4A77-42CE-9F57-B5D05CCF05D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4BA204ED-767B-4928-8870-33B25A10F3A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "BB2D439E-F3D1-4D3A-90EC-50EE09CAD1A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "99F8E1C7-C33F-4BC9-A560-50439233F53E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F875B985-904D-41BF-A499-49B4A0308235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "5350081E-435F-4F3E-B679-539F888F2E44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D2D9A12D-89EB-4133-A774-F7D1FB6138B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cs-cart:cs-cart:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "2A212F38-E6B3-44FE-9FAD-83DEE877497D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) settings_file or (2) data_file parameter to (a) ampie.swf, (b) amline.swf, or (c) amcolumn.swf."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades cross-site scripting (XSS) en CS-Cart anteriores a 4.1.1 permiten a atacantes remotos inyectar scripts web o HTML arbitrarios a trav\u00e9s del par\u00e1metro (1) settings_file o (2) data_file de (a) ample.swf, (b) amline.swf, o (c) amcolumn.swf."
}
],
"id": "CVE-2013-7317",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-01-24T15:08:00.793",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/405942"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/405942"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-50850 (GCVE-0-2025-50850)
Vulnerability from cvelistv5 – Published: 2025-07-31 00:00 – Updated: 2025-07-31 19:57
VLAI?
Summary
An issue was discovered in CS Cart 4.18.3 allows the vendor login functionality lacks essential security controls such as CAPTCHA verification and rate limiting. This allows an attacker to systematically attempt various combinations of usernames and passwords (brute-force attack) to gain unauthorized access to vendor accounts. The absence of any blocking mechanism makes the login endpoint susceptible to automated attacks.
Severity ?
8.6 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-50850",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T19:51:44.917545Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-804",
"description": "CWE-804 Guessable CAPTCHA",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T19:57:19.017Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in CS Cart 4.18.3 allows the vendor login functionality lacks essential security controls such as CAPTCHA verification and rate limiting. This allows an attacker to systematically attempt various combinations of usernames and passwords (brute-force attack) to gain unauthorized access to vendor accounts. The absence of any blocking mechanism makes the login endpoint susceptible to automated attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T15:39:52.563Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://cs.com"
},
{
"url": "https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50850.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-50850",
"datePublished": "2025-07-31T00:00:00.000Z",
"dateReserved": "2025-06-16T00:00:00.000Z",
"dateUpdated": "2025-07-31T19:57:19.017Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-50848 (GCVE-0-2025-50848)
Vulnerability from cvelistv5 – Published: 2025-07-31 00:00 – Updated: 2025-07-31 19:58
VLAI?
Summary
A file upload vulnerability was discovered in CS Cart 4.18.3, allows attackers to execute arbitrary code. CS Cart 4.18.3 allows unrestricted upload of HTML files, which are rendered directly in the browser when accessed. This allows an attacker to upload a crafted HTML file containing malicious content, such as a fake login form for credential harvesting or scripts for Cross-Site Scripting (XSS) attacks. Since the content is served from a trusted domain, it significantly increases the likelihood of successful phishing or script execution against other users.
Severity ?
6.1 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-50848",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T19:57:54.209444Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T19:58:25.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A file upload vulnerability was discovered in CS Cart 4.18.3, allows attackers to execute arbitrary code. CS Cart 4.18.3 allows unrestricted upload of HTML files, which are rendered directly in the browser when accessed. This allows an attacker to upload a crafted HTML file containing malicious content, such as a fake login form for credential harvesting or scripts for Cross-Site Scripting (XSS) attacks. Since the content is served from a trusted domain, it significantly increases the likelihood of successful phishing or script execution against other users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T15:57:36.275Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://cs.com"
},
{
"url": "https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50848.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-50848",
"datePublished": "2025-07-31T00:00:00.000Z",
"dateReserved": "2025-06-16T00:00:00.000Z",
"dateUpdated": "2025-07-31T19:58:25.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-50847 (GCVE-0-2025-50847)
Vulnerability from cvelistv5 – Published: 2025-07-31 00:00 – Updated: 2025-07-31 19:51
VLAI?
Summary
Cross Site Request Forgery (CSRF) vulnerability in CS Cart 4.18.3, allows attackers to add products to a user's comparison list via a crafted HTTP request.
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-50847",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T19:50:30.992521Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T19:51:08.514Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Request Forgery (CSRF) vulnerability in CS Cart 4.18.3, allows attackers to add products to a user\u0027s comparison list via a crafted HTTP request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T15:42:14.761Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://cs.com"
},
{
"url": "https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50847.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-50847",
"datePublished": "2025-07-31T00:00:00.000Z",
"dateReserved": "2025-06-16T00:00:00.000Z",
"dateUpdated": "2025-07-31T19:51:08.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32202 (GCVE-0-2021-32202)
Vulnerability from cvelistv5 – Published: 2021-09-14 11:37 – Updated: 2024-08-03 23:17
VLAI?
Summary
In CS-Cart version 4.11.1, it is possible to induce copy-paste XSS by manipulating the "post description" filed in the blog post creation page.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:17:29.209Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/l00neyhacker/CVE-2021-32202"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In CS-Cart version 4.11.1, it is possible to induce copy-paste XSS by manipulating the \"post description\" filed in the blog post creation page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-14T11:37:58",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/l00neyhacker/CVE-2021-32202"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32202",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In CS-Cart version 4.11.1, it is possible to induce copy-paste XSS by manipulating the \"post description\" filed in the blog post creation page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/l00neyhacker/CVE-2021-32202",
"refsource": "MISC",
"url": "https://github.com/l00neyhacker/CVE-2021-32202"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32202",
"datePublished": "2021-09-14T11:37:58",
"dateReserved": "2021-05-07T00:00:00",
"dateUpdated": "2024-08-03T23:17:29.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15673 (GCVE-0-2017-15673)
Vulnerability from cvelistv5 – Published: 2017-11-28 15:00 – Updated: 2024-08-05 19:57
VLAI?
Summary
The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP code via vectors involving a custom page.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:57:27.597Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/145096/CSC-Cart-4.6.2-Shell-Upload.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP code via vectors involving a custom page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-11-28T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/145096/CSC-Cart-4.6.2-Shell-Upload.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15673",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP code via vectors involving a custom page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://packetstormsecurity.com/files/145096/CSC-Cart-4.6.2-Shell-Upload.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/145096/CSC-Cart-4.6.2-Shell-Upload.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15673",
"datePublished": "2017-11-28T15:00:00",
"dateReserved": "2017-10-20T00:00:00",
"dateUpdated": "2024-08-05T19:57:27.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-10886 (GCVE-0-2017-10886)
Vulnerability from cvelistv5 – Published: 2017-11-17 14:00 – Updated: 2024-08-05 17:50
VLAI?
Summary
Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows an attacker to inject arbitrary web script or HTML via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Frogman Office Inc. | CS-Cart Japanese Edition |
Affected:
v4.3.10 and earlier (excluding v2 and v3)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:50:12.728Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "JVN#29602086",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN29602086/index.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://tips.cs-cart.jp/fix-jvn-29602086.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CS-Cart Japanese Edition",
"vendor": "Frogman Office Inc.",
"versions": [
{
"status": "affected",
"version": "v4.3.10 and earlier (excluding v2 and v3)"
}
]
},
{
"product": "CS-Cart Multivendor Japanese Edition",
"vendor": "Frogman Office Inc.",
"versions": [
{
"status": "affected",
"version": "v4.3.10 and earlier (excluding v2 and v3)"
}
]
}
],
"datePublic": "2017-11-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows an attacker to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-11-17T13:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "JVN#29602086",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "https://jvn.jp/en/jp/JVN29602086/index.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://tips.cs-cart.jp/fix-jvn-29602086.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2017-10886",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CS-Cart Japanese Edition",
"version": {
"version_data": [
{
"version_value": "v4.3.10 and earlier (excluding v2 and v3)"
}
]
}
},
{
"product_name": "CS-Cart Multivendor Japanese Edition",
"version": {
"version_data": [
{
"version_value": "v4.3.10 and earlier (excluding v2 and v3)"
}
]
}
}
]
},
"vendor_name": "Frogman Office Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows an attacker to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "JVN#29602086",
"refsource": "JVN",
"url": "https://jvn.jp/en/jp/JVN29602086/index.html"
},
{
"name": "http://tips.cs-cart.jp/fix-jvn-29602086.html",
"refsource": "CONFIRM",
"url": "http://tips.cs-cart.jp/fix-jvn-29602086.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2017-10886",
"datePublished": "2017-11-17T14:00:00",
"dateReserved": "2017-07-04T00:00:00",
"dateUpdated": "2024-08-05T17:50:12.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-2138 (GCVE-0-2017-2138)
Vulnerability from cvelistv5 – Published: 2017-08-02 16:00 – Updated: 2024-08-05 13:39
VLAI?
Summary
Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows remote attackers to hijack the authentication of administrators via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- Cross-site request forgery
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Frogman Office Inc. | CS-Cart Japanese Edition |
Affected:
v4.3.10 and earlier (excluding v2 and v3)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:39:32.358Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "JVN#87770873",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN87770873/index.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://tips.cs-cart.jp/fix-csrf-20170406.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CS-Cart Japanese Edition",
"vendor": "Frogman Office Inc.",
"versions": [
{
"status": "affected",
"version": "v4.3.10 and earlier (excluding v2 and v3)"
}
]
},
{
"product": "CS-Cart Multivendor Japanese Edition",
"vendor": "Frogman Office Inc.",
"versions": [
{
"status": "affected",
"version": "v4.3.10 and earlier (excluding v2 and v3)"
}
]
}
],
"datePublic": "2017-08-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows remote attackers to hijack the authentication of administrators via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site request forgery",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-02T15:57:02",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "JVN#87770873",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "https://jvn.jp/en/jp/JVN87770873/index.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://tips.cs-cart.jp/fix-csrf-20170406.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2017-2138",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CS-Cart Japanese Edition",
"version": {
"version_data": [
{
"version_value": "v4.3.10 and earlier (excluding v2 and v3)"
}
]
}
},
{
"product_name": "CS-Cart Multivendor Japanese Edition",
"version": {
"version_data": [
{
"version_value": "v4.3.10 and earlier (excluding v2 and v3)"
}
]
}
}
]
},
"vendor_name": "Frogman Office Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows remote attackers to hijack the authentication of administrators via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site request forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "JVN#87770873",
"refsource": "JVN",
"url": "https://jvn.jp/en/jp/JVN87770873/index.html"
},
{
"name": "http://tips.cs-cart.jp/fix-csrf-20170406.html",
"refsource": "MISC",
"url": "http://tips.cs-cart.jp/fix-csrf-20170406.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2017-2138",
"datePublished": "2017-08-02T16:00:00",
"dateReserved": "2016-12-01T00:00:00",
"dateUpdated": "2024-08-05T13:39:32.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-4862 (GCVE-0-2016-4862)
Vulnerability from cvelistv5 – Published: 2017-04-20 18:00 – Updated: 2024-08-06 00:46
VLAI?
Summary
Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:46:38.544Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "92992",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/92992"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://tips.cs-cart.jp/fix-twigmo-vulnerability-20160914.html"
},
{
"name": "JVNDB-2016-000157",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB",
"x_transferred"
],
"url": "http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000157.html"
},
{
"name": "JVN#55389065",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN55389065/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-09-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-20T17:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "92992",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/92992"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://tips.cs-cart.jp/fix-twigmo-vulnerability-20160914.html"
},
{
"name": "JVNDB-2016-000157",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB"
],
"url": "http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000157.html"
},
{
"name": "JVN#55389065",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN55389065/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2016-4862",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "92992",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/92992"
},
{
"name": "http://tips.cs-cart.jp/fix-twigmo-vulnerability-20160914.html",
"refsource": "CONFIRM",
"url": "http://tips.cs-cart.jp/fix-twigmo-vulnerability-20160914.html"
},
{
"name": "JVNDB-2016-000157",
"refsource": "JVNDB",
"url": "http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000157.html"
},
{
"name": "JVN#55389065",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN55389065/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2016-4862",
"datePublished": "2017-04-20T18:00:00",
"dateReserved": "2016-05-17T00:00:00",
"dateUpdated": "2024-08-06T00:46:38.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-2701 (GCVE-0-2015-2701)
Vulnerability from cvelistv5 – Published: 2015-03-25 14:00 – Updated: 2024-08-06 05:24
VLAI?
Summary
Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of users for requests that change a user password via a request to profiles-update/.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:24:37.988Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "119632",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/show/osvdb/119632"
},
{
"name": "36358",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/36358"
},
{
"name": "72658",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/72658"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of users for requests that change a user password via a request to profiles-update/."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-01T15:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "119632",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/show/osvdb/119632"
},
{
"name": "36358",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/36358"
},
{
"name": "72658",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/72658"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-2701",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of users for requests that change a user password via a request to profiles-update/."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "119632",
"refsource": "OSVDB",
"url": "http://osvdb.org/show/osvdb/119632"
},
{
"name": "36358",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/36358"
},
{
"name": "72658",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/72658"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-2701",
"datePublished": "2015-03-25T14:00:00",
"dateReserved": "2015-03-25T00:00:00",
"dateUpdated": "2024-08-06T05:24:37.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-7317 (GCVE-0-2013-7317)
Vulnerability from cvelistv5 – Published: 2014-01-24 15:00 – Updated: 2024-09-17 02:32
VLAI?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) settings_file or (2) data_file parameter to (a) ampie.swf, (b) amline.swf, or (c) amcolumn.swf.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:01:20.321Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VU#405942",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/405942"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) settings_file or (2) data_file parameter to (a) ampie.swf, (b) amline.swf, or (c) amcolumn.swf."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-01-24T15:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "VU#405942",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/405942"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7317",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) settings_file or (2) data_file parameter to (a) ampie.swf, (b) amline.swf, or (c) amcolumn.swf."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "VU#405942",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/405942"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7317",
"datePublished": "2014-01-24T15:00:00Z",
"dateReserved": "2014-01-24T00:00:00Z",
"dateUpdated": "2024-09-17T02:32:17.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-50850 (GCVE-0-2025-50850)
Vulnerability from nvd – Published: 2025-07-31 00:00 – Updated: 2025-07-31 19:57
VLAI?
Summary
An issue was discovered in CS Cart 4.18.3 allows the vendor login functionality lacks essential security controls such as CAPTCHA verification and rate limiting. This allows an attacker to systematically attempt various combinations of usernames and passwords (brute-force attack) to gain unauthorized access to vendor accounts. The absence of any blocking mechanism makes the login endpoint susceptible to automated attacks.
Severity ?
8.6 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-50850",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T19:51:44.917545Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-804",
"description": "CWE-804 Guessable CAPTCHA",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T19:57:19.017Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in CS Cart 4.18.3 allows the vendor login functionality lacks essential security controls such as CAPTCHA verification and rate limiting. This allows an attacker to systematically attempt various combinations of usernames and passwords (brute-force attack) to gain unauthorized access to vendor accounts. The absence of any blocking mechanism makes the login endpoint susceptible to automated attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T15:39:52.563Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://cs.com"
},
{
"url": "https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50850.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-50850",
"datePublished": "2025-07-31T00:00:00.000Z",
"dateReserved": "2025-06-16T00:00:00.000Z",
"dateUpdated": "2025-07-31T19:57:19.017Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-50848 (GCVE-0-2025-50848)
Vulnerability from nvd – Published: 2025-07-31 00:00 – Updated: 2025-07-31 19:58
VLAI?
Summary
A file upload vulnerability was discovered in CS Cart 4.18.3, allows attackers to execute arbitrary code. CS Cart 4.18.3 allows unrestricted upload of HTML files, which are rendered directly in the browser when accessed. This allows an attacker to upload a crafted HTML file containing malicious content, such as a fake login form for credential harvesting or scripts for Cross-Site Scripting (XSS) attacks. Since the content is served from a trusted domain, it significantly increases the likelihood of successful phishing or script execution against other users.
Severity ?
6.1 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-50848",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T19:57:54.209444Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T19:58:25.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A file upload vulnerability was discovered in CS Cart 4.18.3, allows attackers to execute arbitrary code. CS Cart 4.18.3 allows unrestricted upload of HTML files, which are rendered directly in the browser when accessed. This allows an attacker to upload a crafted HTML file containing malicious content, such as a fake login form for credential harvesting or scripts for Cross-Site Scripting (XSS) attacks. Since the content is served from a trusted domain, it significantly increases the likelihood of successful phishing or script execution against other users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T15:57:36.275Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://cs.com"
},
{
"url": "https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50848.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-50848",
"datePublished": "2025-07-31T00:00:00.000Z",
"dateReserved": "2025-06-16T00:00:00.000Z",
"dateUpdated": "2025-07-31T19:58:25.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-50847 (GCVE-0-2025-50847)
Vulnerability from nvd – Published: 2025-07-31 00:00 – Updated: 2025-07-31 19:51
VLAI?
Summary
Cross Site Request Forgery (CSRF) vulnerability in CS Cart 4.18.3, allows attackers to add products to a user's comparison list via a crafted HTTP request.
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-50847",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T19:50:30.992521Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T19:51:08.514Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Request Forgery (CSRF) vulnerability in CS Cart 4.18.3, allows attackers to add products to a user\u0027s comparison list via a crafted HTTP request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T15:42:14.761Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://cs.com"
},
{
"url": "https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50847.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-50847",
"datePublished": "2025-07-31T00:00:00.000Z",
"dateReserved": "2025-06-16T00:00:00.000Z",
"dateUpdated": "2025-07-31T19:51:08.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32202 (GCVE-0-2021-32202)
Vulnerability from nvd – Published: 2021-09-14 11:37 – Updated: 2024-08-03 23:17
VLAI?
Summary
In CS-Cart version 4.11.1, it is possible to induce copy-paste XSS by manipulating the "post description" filed in the blog post creation page.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:17:29.209Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/l00neyhacker/CVE-2021-32202"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In CS-Cart version 4.11.1, it is possible to induce copy-paste XSS by manipulating the \"post description\" filed in the blog post creation page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-14T11:37:58",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/l00neyhacker/CVE-2021-32202"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32202",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In CS-Cart version 4.11.1, it is possible to induce copy-paste XSS by manipulating the \"post description\" filed in the blog post creation page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/l00neyhacker/CVE-2021-32202",
"refsource": "MISC",
"url": "https://github.com/l00neyhacker/CVE-2021-32202"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32202",
"datePublished": "2021-09-14T11:37:58",
"dateReserved": "2021-05-07T00:00:00",
"dateUpdated": "2024-08-03T23:17:29.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15673 (GCVE-0-2017-15673)
Vulnerability from nvd – Published: 2017-11-28 15:00 – Updated: 2024-08-05 19:57
VLAI?
Summary
The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP code via vectors involving a custom page.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:57:27.597Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/145096/CSC-Cart-4.6.2-Shell-Upload.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP code via vectors involving a custom page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-11-28T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/145096/CSC-Cart-4.6.2-Shell-Upload.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15673",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP code via vectors involving a custom page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://packetstormsecurity.com/files/145096/CSC-Cart-4.6.2-Shell-Upload.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/145096/CSC-Cart-4.6.2-Shell-Upload.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15673",
"datePublished": "2017-11-28T15:00:00",
"dateReserved": "2017-10-20T00:00:00",
"dateUpdated": "2024-08-05T19:57:27.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-10886 (GCVE-0-2017-10886)
Vulnerability from nvd – Published: 2017-11-17 14:00 – Updated: 2024-08-05 17:50
VLAI?
Summary
Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows an attacker to inject arbitrary web script or HTML via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Frogman Office Inc. | CS-Cart Japanese Edition |
Affected:
v4.3.10 and earlier (excluding v2 and v3)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:50:12.728Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "JVN#29602086",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN29602086/index.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://tips.cs-cart.jp/fix-jvn-29602086.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CS-Cart Japanese Edition",
"vendor": "Frogman Office Inc.",
"versions": [
{
"status": "affected",
"version": "v4.3.10 and earlier (excluding v2 and v3)"
}
]
},
{
"product": "CS-Cart Multivendor Japanese Edition",
"vendor": "Frogman Office Inc.",
"versions": [
{
"status": "affected",
"version": "v4.3.10 and earlier (excluding v2 and v3)"
}
]
}
],
"datePublic": "2017-11-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows an attacker to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-11-17T13:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "JVN#29602086",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "https://jvn.jp/en/jp/JVN29602086/index.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://tips.cs-cart.jp/fix-jvn-29602086.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2017-10886",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CS-Cart Japanese Edition",
"version": {
"version_data": [
{
"version_value": "v4.3.10 and earlier (excluding v2 and v3)"
}
]
}
},
{
"product_name": "CS-Cart Multivendor Japanese Edition",
"version": {
"version_data": [
{
"version_value": "v4.3.10 and earlier (excluding v2 and v3)"
}
]
}
}
]
},
"vendor_name": "Frogman Office Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows an attacker to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "JVN#29602086",
"refsource": "JVN",
"url": "https://jvn.jp/en/jp/JVN29602086/index.html"
},
{
"name": "http://tips.cs-cart.jp/fix-jvn-29602086.html",
"refsource": "CONFIRM",
"url": "http://tips.cs-cart.jp/fix-jvn-29602086.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2017-10886",
"datePublished": "2017-11-17T14:00:00",
"dateReserved": "2017-07-04T00:00:00",
"dateUpdated": "2024-08-05T17:50:12.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-2138 (GCVE-0-2017-2138)
Vulnerability from nvd – Published: 2017-08-02 16:00 – Updated: 2024-08-05 13:39
VLAI?
Summary
Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows remote attackers to hijack the authentication of administrators via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- Cross-site request forgery
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Frogman Office Inc. | CS-Cart Japanese Edition |
Affected:
v4.3.10 and earlier (excluding v2 and v3)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:39:32.358Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "JVN#87770873",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN87770873/index.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://tips.cs-cart.jp/fix-csrf-20170406.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CS-Cart Japanese Edition",
"vendor": "Frogman Office Inc.",
"versions": [
{
"status": "affected",
"version": "v4.3.10 and earlier (excluding v2 and v3)"
}
]
},
{
"product": "CS-Cart Multivendor Japanese Edition",
"vendor": "Frogman Office Inc.",
"versions": [
{
"status": "affected",
"version": "v4.3.10 and earlier (excluding v2 and v3)"
}
]
}
],
"datePublic": "2017-08-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows remote attackers to hijack the authentication of administrators via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site request forgery",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-02T15:57:02",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "JVN#87770873",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "https://jvn.jp/en/jp/JVN87770873/index.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://tips.cs-cart.jp/fix-csrf-20170406.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2017-2138",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CS-Cart Japanese Edition",
"version": {
"version_data": [
{
"version_value": "v4.3.10 and earlier (excluding v2 and v3)"
}
]
}
},
{
"product_name": "CS-Cart Multivendor Japanese Edition",
"version": {
"version_data": [
{
"version_value": "v4.3.10 and earlier (excluding v2 and v3)"
}
]
}
}
]
},
"vendor_name": "Frogman Office Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows remote attackers to hijack the authentication of administrators via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site request forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "JVN#87770873",
"refsource": "JVN",
"url": "https://jvn.jp/en/jp/JVN87770873/index.html"
},
{
"name": "http://tips.cs-cart.jp/fix-csrf-20170406.html",
"refsource": "MISC",
"url": "http://tips.cs-cart.jp/fix-csrf-20170406.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2017-2138",
"datePublished": "2017-08-02T16:00:00",
"dateReserved": "2016-12-01T00:00:00",
"dateUpdated": "2024-08-05T13:39:32.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-4862 (GCVE-0-2016-4862)
Vulnerability from nvd – Published: 2017-04-20 18:00 – Updated: 2024-08-06 00:46
VLAI?
Summary
Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:46:38.544Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "92992",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/92992"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://tips.cs-cart.jp/fix-twigmo-vulnerability-20160914.html"
},
{
"name": "JVNDB-2016-000157",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB",
"x_transferred"
],
"url": "http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000157.html"
},
{
"name": "JVN#55389065",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN55389065/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-09-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-20T17:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "92992",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/92992"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://tips.cs-cart.jp/fix-twigmo-vulnerability-20160914.html"
},
{
"name": "JVNDB-2016-000157",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB"
],
"url": "http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000157.html"
},
{
"name": "JVN#55389065",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN55389065/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2016-4862",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "92992",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/92992"
},
{
"name": "http://tips.cs-cart.jp/fix-twigmo-vulnerability-20160914.html",
"refsource": "CONFIRM",
"url": "http://tips.cs-cart.jp/fix-twigmo-vulnerability-20160914.html"
},
{
"name": "JVNDB-2016-000157",
"refsource": "JVNDB",
"url": "http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000157.html"
},
{
"name": "JVN#55389065",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN55389065/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2016-4862",
"datePublished": "2017-04-20T18:00:00",
"dateReserved": "2016-05-17T00:00:00",
"dateUpdated": "2024-08-06T00:46:38.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-2701 (GCVE-0-2015-2701)
Vulnerability from nvd – Published: 2015-03-25 14:00 – Updated: 2024-08-06 05:24
VLAI?
Summary
Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of users for requests that change a user password via a request to profiles-update/.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:24:37.988Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "119632",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/show/osvdb/119632"
},
{
"name": "36358",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/36358"
},
{
"name": "72658",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/72658"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of users for requests that change a user password via a request to profiles-update/."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-01T15:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "119632",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/show/osvdb/119632"
},
{
"name": "36358",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/36358"
},
{
"name": "72658",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/72658"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-2701",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of users for requests that change a user password via a request to profiles-update/."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "119632",
"refsource": "OSVDB",
"url": "http://osvdb.org/show/osvdb/119632"
},
{
"name": "36358",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/36358"
},
{
"name": "72658",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/72658"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-2701",
"datePublished": "2015-03-25T14:00:00",
"dateReserved": "2015-03-25T00:00:00",
"dateUpdated": "2024-08-06T05:24:37.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-7317 (GCVE-0-2013-7317)
Vulnerability from nvd – Published: 2014-01-24 15:00 – Updated: 2024-09-17 02:32
VLAI?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) settings_file or (2) data_file parameter to (a) ampie.swf, (b) amline.swf, or (c) amcolumn.swf.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:01:20.321Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VU#405942",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/405942"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) settings_file or (2) data_file parameter to (a) ampie.swf, (b) amline.swf, or (c) amcolumn.swf."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-01-24T15:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "VU#405942",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/405942"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7317",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) settings_file or (2) data_file parameter to (a) ampie.swf, (b) amline.swf, or (c) amcolumn.swf."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "VU#405942",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/405942"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7317",
"datePublished": "2014-01-24T15:00:00Z",
"dateReserved": "2014-01-24T00:00:00Z",
"dateUpdated": "2024-09-17T02:32:17.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}