Archive

Archive for the ‘E-Commerce’ Category

CosmoShop ePRO Security Bypass

March 30th, 2014
Comments Off

Application: CosmoShop
Affected Version: version 10.17.00 and other versions.
Vendor’s URL: CosmoShop ePRO
Bug Type: Security Bypass
Risk Level: Critical

Solution:
No official solution is currently available.

Access Bypass, E-Commerce

osCommerce “products_id” Script Insertion

October 31st, 2013
Comments Off

Application: osCommerce
Affected Version: version 2.3.3 and prior versions.
Vendor’s URL: osCommerce
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 2.3.3.1.

Cross Site Scripting, E-Commerce

AspxCommerce Logo Module Arbitrary File Upload

September 30th, 2013
Comments Off

Application: AspxCommerce
Affected Version: version 2.0 and other versions.
Vendor’s URL: Logo Module
Bug Type: File Upload
Risk Level: Critical

Solution:
No official solution is currently available.

E-Commerce, File Inclusion

Joomla! VirtueMart Component Two Cross-Site Scripting and SQL Injection

August 26th, 2013
Comments Off

Application: Joomla!
Affected Version: versions prior to 2.0.22b.
Vendor’s URL: VirtueMart Component
Bug Type: Cross-Site Scripting and SQL Injection
Risk Level: Critical

Solution:
Update to version 2.0.22b.

Cross Site Scripting, E-Commerce, SQL Injection

PrestaShop TinyMCE Script Insertion Vulnerability

July 29th, 2013
Comments Off

Application: PrestaShop
Affected Version: versions 1.4.10.0 and 1.5.4.1 and other versions.
Vendor’s URL: TinyMCE Script
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Update to a fixed version if available.

Cross Site Scripting, E-Commerce

CubeCart “unserialize()” Configuration Manipulation Vulnerability

February 26th, 2013
Comments Off

Application: CubeCart
Affected Version: version 5.2.0 and prior versions.
Vendor’s URL: CubeCart
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Update to version 5.2.1.

Access Bypass, E-Commerce

CubeCart Multiple Vulnerabilities

January 25th, 2013
Comments Off

Application: CubeCart
Affected Version: version 5.1.5 and other versions
Vendor’s URL: CubeCart
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
No official solution is currently available.

Cross Site Scripting, E-Commerce

PrestaShop “message” Script Insertion

November 26th, 2012
Comments Off

Application: PrestaShop
Affected Version: version 1.5.1 and prior versions.
Vendor’s URL: PrestaShop
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 1.5.2.

Cross Site Scripting, E-Commerce

Magento Unirgy uStoreLocator Extension SQL Injection

October 30th, 2012
Comments Off

Application: Magento
Affected Version: versions 2.0.0 and prior.
Vendor’s URL: Unirgy uStoreLocator Extension
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 2.0.1 or later.

E-Commerce, SQL Injection

WordPress wpStoreCart Plugin Arbitrary File Upload

June 30th, 2012
Comments Off

Application: WordPress
Affected Version: version 2.5.29 and prior versions.
Vendor’s URL: wpStoreCart Plugin
Bug Type: File Upload
Risk Level: Critical

Solution:
Update to version 2.5.30.

Content Management, E-Commerce, File Inclusion

OpenCart Two Vulnerabilities

April 30th, 2012
Comments Off

Application: OpenCart
Affected Version: version 1.5.2.1 and other versions.
Vendor’s URL: OpenCart
Bug Type: arbitrary code execution
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly verified. Restrict access to the download folder (e.g. via .htaccess)

E-Commerce, Remote Command Execution

PrestaShop Presta2PhpList Module “list” SQL Injection

November 1st, 2011
Comments Off

Application: PrestaShop
Affected Version: version 1.5.
Vendor’s URL: Presta2PhpList Module
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

E-Commerce, SQL Injection

WordPress WP e-Commerce Plugin “transaction_id” Two SQL Injection

September 30th, 2011
Comments Off

Application: WordPress
Affected Version: version 3.8.6 and other versions.
Vendor’s URL: WP e-Commerce Plugin
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 3.8.6.1.

Content Management, E-Commerce, SQL Injection

OpenCart Cache Arbitrary File Overwrite

September 29th, 2011
Comments Off

Application: OpenCart
Affected Version: version 1.5.1.1 and prior versions.
Vendor’s URL: OpenCart
Bug Type: File Overwrite
Risk Level: Critical

Solution:
Update to version 1.5.1.2.

E-Commerce, File Inclusion

WordPress DukaPress Shopping Cart Plugin TimThumb Arbitrary File Upload

September 29th, 2011
Comments Off

Application: WordPress
Affected Version: timthumb outdated
Vendor’s URL: DukaPress Shopping Cart Plugin
Bug Type: File Upload
Risk Level: Critical

Solution:
Update to version 2.3.3 or later.

Content Management, E-Commerce, File Inclusion

DV Cart “keyword” SQL Injection

August 24th, 2011
Comments Off

Application: DV Cart
Affected Version: -
Vendor’s URL: DV Cart
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Filter malicious characters and character sequences using a proxy.

E-Commerce, SQL Injection

EZ-Shop “specialid” SQL Injection

April 27th, 2011
Comments Off

Application: EZ-Shop
Affected Version: version 1.0.2 and other versions.
Vendor’s URL: EZ-Shop
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

E-Commerce, SQL Injection

VirtueMart “search_category” SQL Injection

February 24th, 2011
Comments Off

Application: VirtueMart
Affected Version: version 1.1.6 and other versions.
Vendor’s URL: VirtueMart
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Apply patch.

E-Commerce, SQL Injection

CubeCart Cross-Site Request Forgery

December 30th, 2010
Comments Off

Application: CubeCart
Affected Version: version 4.4.3 and other versions
Vendor’s URL: CubeCart
Bug Type: Cross-Site Request Forgery
Risk Level: Critical

Solution:
Do not browse untrusted websites while being logged in to the application.

Cross Site Scripting, E-Commerce

MH Products Easy Online Shop “kat” SQL Injection

December 30th, 2010
Comments Off

Application: MH Products Easy Online Shop
Affected Version:
Vendor’s URL: MH Products Easy Online Shop
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Filter malicious characters or character sequences via a proxy.

E-Commerce, SQL Injection