threat
engine
.sh
Back
·
··:··
Home
/
Product
/
zen cart zen cart
Product
zen cart zen cart
42 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2024-5762
all versions
Zen Cart findPluginAdminPage Local File Inclusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers
8.1
HIGH
CVE-2020-6578
all versions
Zen Cart 1.5.6d allows reflected XSS via the main_page parameter to includes/templates/template_default/common/tpl_main_page.php o
6.1
MEDIUM
CVE-2021-3291
all versions
Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit
7.2
HIGH
CVE-2015-8352
all versions
Directory traversal vulnerability in Zen Cart 1.5.4 allows remote attackers to include and execute arbitrary local files via a ..
9.8
CRITICAL
CVE-2017-11675
all versions
The traverseStrictSanitize function in admin_dir/includes/classes/AdminRequestSanitizer.php in ZenCart 1.5.5e mishandles key strin
8.8
HIGH
CVE-2017-10667
all versions
In index.php in Zen Cart 1.6.0, the products_id parameter can cause XSS.
6.1
MEDIUM
CVE-2017-8833
all versions
Zen Cart 1.6.0 has XSS in the main_page parameter to index.php. NOTE: 1.6.0 is not an official release but the vendor's README.md
6.1
MEDIUM
CVE-2011-4403
all versions
Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication
CVE-2015-0882
all versions
Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka Zen Cart Japanese edition) 1.3 jp through 1.3.0.2 jp8 and 1
CVE-2012-5808
all versions
The LinkPoint module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN)
CVE-2012-5807
all versions
The Authorize.Net eCheck module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common
CVE-2012-5806
all versions
The PayPal Payments Pro module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common
CVE-2012-5805
all versions
The PayPal IPN functionality in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Na
CVE-2012-1413
all versions
Cross-site scripting (XSS) vulnerability in zc_install/includes/modules/pages/database_setup/header_php.php in Zen Cart 1.5.0 and
CVE-2011-4567
<= 1.3.9
Cross-site scripting (XSS) vulnerability in includes/templates/template_default/templates/tpl_gv_send_default.php in Zen Cart befo
CVE-2011-4547
all versions
Multiple cross-site scripting (XSS) vulnerabilities in includes/templates/template_default/common/tpl_header_test_info.php in Zen
CVE-2009-4323
all versions
The installation for Zen Cart stores sensitive information and insecure programs under the (1) docs, (2) extras, and (3) zc_instal
CVE-2009-4322
all versions
extras/ipn_test_return.php in Zen Cart allows remote attackers to obtain sensitive information via a direct request, which reveals
CVE-2009-4321
all versions
extras/curltest.php in Zen Cart 1.3.8 and 1.3.8a, and possibly other versions, allows remote attackers to read arbitrary files via
CVE-2008-6986
all versions
SQL injection vulnerability in the actionMultipleAddProduct function in includes/classes/shopping_cart.php in Zen Cart 1.3.0 throu
CVE-2008-6985
all versions
Multiple SQL injection vulnerabilities in includes/classes/shopping_cart.php in Zen Cart 1.2.0 through 1.3.8a, when magic_quotes_g
CVE-2008-6878
all versions
Directory traversal vulnerability in admin/includes/languages/english.php in Zen Cart 1.3.8a, 1.3.8, and earlier, when .htaccess i
CVE-2008-6877
all versions
Directory traversal vulnerability in admin/includes/initsystem.php in Zen Cart 1.3.8 and 1.3.8a, when .htaccess is not supported,
CVE-2009-2255
<= 1.3.8a
Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/record_company.php, which allows remo
CVE-2009-2254
<= 1.3.8a
Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/sqlpatch.php, which allows remote att
CVE-2008-6616
all versions
Cross-site scripting (XSS) vulnerability in index.php in Zen Software Zen Cart 2008 allows remote attackers to inject arbitrary we
CVE-2008-6615
all versions
SQL injection vulnerability in index.php in Zen Software Zen Cart 2008 allows remote attackers to execute arbitrary SQL commands v
CVE-2007-3597
<= 1.3.7
Session fixation vulnerability in Zen Cart 1.3.7 and earlier allows remote attackers to hijack web sessions by setting the Cookie
CVE-2006-6868
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Zen Cart Web Shopping Cart before 1.3.7 allow remote attackers to inject ar
CVE-2006-5119
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Zen Cart 1.3.5 allow remote attackers to inject arbitrary web script or HTM
CVE-2006-4218
all versions
Directory traversal vulnerability in Zen Cart 1.3.0.2 and earlier allows remote attackers to include and possibly execute arbitrar
CVE-2006-4215
<= 1.3.0.2
PHP remote file inclusion vulnerability in index.php in Zen Cart 1.3.0.2 and earlier, when register_globals is enabled, allows rem
CVE-2006-4214
<= 1.3.0.2
Multiple SQL injection vulnerabilities in Zen Cart 1.3.0.2 and earlier allow remote attackers to execute arbitrary SQL commands vi
CVE-2006-3757
all versions
index.php in Zen Cart 1.3.0.2 allows remote attackers to obtain sensitive information via empty (1) _GET[], (2) _SESSION[], (3) _P
CVE-2006-0698
all versions
Unspecified vulnerabilities in Zen Cart before 1.2.7 allow remote attackers to cause unknown impact via unspecified vectors relate
CVE-2006-0697
<= 1.2.6d
Zen Cart before 1.2.7 does not protect the admin/includes directory, which allows remote attackers to cause unknown impact via uns
CVE-2006-0696
all versions
SQL injection vulnerability in Zen Cart before 1.2.7 allows remote attackers to execute arbitrary SQL commands via unspecified vec
CVE-2005-3997
<= 1.2.6d
Zen Cart 1.2.6d and earlier, under certain PHP configurations, allows remote attackers to obtain sensitive information via direct
CVE-2005-3996
<= 1.2.6d
SQL injection vulnerability in admin/password_forgotten.php in Zen Cart 1.2.6d and earlier allows remote attackers to execute arbi
CVE-2004-2025
all versions
SQL injection vulnerability in application_top.php for Zen Cart 1.1.3 before patch 2 may allow remote attackers to execute arbitra
CVE-2004-2024
all versions
The distribution of Zen Cart 1.1.4 before patch 2 includes certain debugging code in the Admin password retrieval functionality, w
CVE-2004-2023
all versions
SQL injection vulnerability in login.php in Zen Cart 1.1.2d, 1.1.4 before patch 1, and possibly other versions allows remote attac
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin