CVE Tools

zen-cart

Web & CMS Pluginsoss-project

15

Cumulative CVEs

7

Monthly snapshots

#38

Peak rank

Top products

Latest CVEs

The 15 most recently published vulnerabilities affecting zen-cart.

CVE-2024-5762Zen Cart findPluginAdminPage Local File Inclusion Remote Code Execution Vulnerability8.1Aug 21, 2024
CVE-2020-6578Zen Cart 1.5.6d allows reflected XSS via the main_page parameter to includes/templates/template_default/common/tpl_main_page.php or includes/templates/responsive_classic/common/tpl_main_page.php.6.1Mar 19, 2021
CVE-2021-3291Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command.7.2Jan 26, 2021
CVE-2015-8352Directory traversal vulnerability in Zen Cart 1.5.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the act parameter to ajax.php.9.8Aug 24, 2017
CVE-2017-11675The traverseStrictSanitize function in admin_dir/includes/classes/AdminRequestSanitizer.php in ZenCart 1.5.5e mishandles key strings, which allows remote authenticated users to execute arbitrary PH...8.8Jul 27, 2017
CVE-2017-10667In index.php in Zen Cart 1.6.0, the products_id parameter can cause XSS.6.1Jun 29, 2017
CVE-2017-8833Zen Cart 1.6.0 has XSS in the main_page parameter to index.php. NOTE: 1.6.0 is not an official release but the vendor's README.md file offers a link to v160.zip with a description of "Download late...6.1May 8, 2017
CVE-2011-4403Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a dele...5.8Apr 24, 2015
CVE-2015-0882Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka Zen Cart Japanese edition) 1.3 jp through 1.3.0.2 jp8 and 1.5 ja through 1.5.1 ja allow remote attackers to inject arbitrary w...4.3Feb 27, 2015
CVE-2012-5808The LinkPoint module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-...5.8Nov 4, 2012
CVE-2012-5807The Authorize.Net eCheck module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which ...5.8Nov 4, 2012
CVE-2012-5806The PayPal Payments Pro module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which a...5.8Nov 4, 2012
CVE-2012-5805The PayPal IPN functionality in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which all...5.8Nov 4, 2012
CVE-2012-1413Cross-site scripting (XSS) vulnerability in zc_install/includes/modules/pages/database_setup/header_php.php in Zen Cart 1.5.0 and earlier, when the software is being installed, allows remote attack...2.6May 27, 2012
CVE-2011-4567Cross-site scripting (XSS) vulnerability in includes/templates/template_default/templates/tpl_gv_send_default.php in Zen Cart before 1.5 allows remote attackers to inject arbitrary web script or HT...4.3Nov 29, 2011