Filtered by vendor Opencart
Subscriptions
Filtered by product Opencart
Subscriptions
Total
29 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-28838 | 1 Opencart | 1 Opencart | 2024-11-21 | 3.5 Low |
| Cross Site Request Forgery (CSRF) in CART option in OpenCart Ltd. Opencart CMS 3.0.3.6 allows attacker to add cart items via Add to cart. | ||||
| CVE-2020-13980 | 1 Opencart | 1 Opencart | 2024-11-21 | 4.8 Medium |
| OpenCart 3.0.3.3 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section because of a lack of entity encoding. NOTE: this issue exists because of an incomplete fix for CVE-2020-10596. The vendor states "this is not a massive issue as you are still required to be logged into the admin. | ||||
| CVE-2020-10596 | 1 Opencart | 1 Opencart | 2024-11-21 | 5.4 Medium |
| OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section. | ||||
| CVE-2019-15081 | 1 Opencart | 1 Opencart | 2024-11-21 | 4.8 Medium |
| OpenCart 3.x, when the attacker has login access to the admin panel, allows stored XSS within the Source/HTML editing feature of the Categories, Product, and Information pages. | ||||
| CVE-2018-13067 | 1 Opencart | 1 Opencart | 2024-11-21 | N/A |
| /upload/catalog/controller/account/password.php in OpenCart through 3.0.2.0 has CSRF via the index.php?route=account/password URI to change a user's password. | ||||
| CVE-2018-11495 | 1 Opencart | 1 Opencart | 2024-11-21 | N/A |
| OpenCart through 3.0.2.0 allows directory traversal in the editDownload function in admin\model\catalog\download.php via admin/index.php?route=catalog/download/edit, related to the download_id. For example, an attacker can download ../../config.php. | ||||
| CVE-2018-11494 | 1 Opencart | 1 Opencart | 2024-11-21 | N/A |
| The "program extension upload" feature in OpenCart through 3.0.2.0 has a six-step process (upload, install, unzip, move, xml, remove) that allows attackers to execute arbitrary code if the remove step is skipped, because the attacker can discover a secret temporary directory name (containing 10 random digits) via a directory traversal attack involving language_info['code']. | ||||
| CVE-2014-3990 | 1 Opencart | 1 Opencart | 2024-11-21 | N/A |
| The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitrary code via a crafted serialized PHP object, related to the quantity parameter in an update request. | ||||
| CVE-2013-1891 | 2 Microsoft, Opencart | 2 Windows, Opencart | 2024-11-21 | 6.5 Medium |
| In OpenCart 1.4.7 to 1.5.5.1, implemented anti-traversal code in filemanager.php is ineffective and can be bypassed. | ||||