U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): cpe:2.3:a:cs-cart:cs-cart:1.3.4:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 6 matching records.
Displaying matches 1 through 6.
Vuln ID Summary CVSS Severity

The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP code via vectors involving a custom page.

Published: November 28, 2017; 10:29:00 AM -0500
V3.0: 7.2 HIGH
V2.0: 9.0 HIGH

Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers.

Published: April 20, 2017; 2:59:00 PM -0400
V3.0: 8.8 HIGH
V2.0: 6.5 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) settings_file or (2) data_file parameter to (a) ampie.swf, (b) amline.swf, or (c) amcolumn.swf.

Published: January 24, 2014; 10:08:00 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM

CS-Cart before 3.0.6, when PayPal Standard Payments is configured, allows remote attackers to set the payment recipient via a modified value of the merchant's e-mail address, as demonstrated by setting the recipient to one's self.

Published: February 24, 2013; 6:48:21 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM

SQL injection vulnerability in reward_points.post.php in the Reward points addon in CS-Cart before 2.0.6 allows remote authenticated users to execute arbitrary SQL commands via the sort_order parameter in a reward_points.userlog action to index.php, a different vulnerability than CVE-2005-4429.2.

Published: August 05, 2009; 3:30:01 PM -0400
V3.x:(not available)
V2.0: 6.5 MEDIUM

SQL injection vulnerability in core/user.php in CS-Cart 1.3.5 and earlier allows remote attackers to execute arbitrary SQL commands via the cs_cookies[customer_user_id] cookie parameter.

Published: March 04, 2009; 12:30:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH