Every CVE whose affected-product data names Zen-cart Zen Cart, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (27)
CVE-2006-0697 — CVSS 10.0 (critical): Zen Cart before 1.2.7 does not protect the admin/includes directory, which allows remote attackers to cause unknown impact via unspecified…
CVE-2015-8352 — CVSS 9.8 (critical): Directory traversal vulnerability in Zen Cart 1.5.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot)…
CVE-2017-11675 — CVSS 8.8 (high): The traverseStrictSanitize function in admin_dir/includes/classes/AdminRequestSanitizer.php in ZenCart 1.5.5e mishandles key strings, which…
CVE-2024-5762 — CVSS 8.1 (high): Zen Cart findPluginAdminPage Local File Inclusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to…
CVE-2009-4323 — CVSS 7.5 (high): The installation for Zen Cart stores sensitive information and insecure programs under the (1) docs, (2) extras, and (3) zc_install…
CVE-2008-6615 — CVSS 7.5 (high): SQL injection vulnerability in index.php in Zen Software Zen Cart 2008 allows remote attackers to execute arbitrary SQL commands via the…
CVE-2009-2254 — CVSS 7.5 (high): Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/sqlpatch.php, which allows remote attackers to…
CVE-2021-3291 — CVSS 7.2 (high): Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and…
CVE-2009-2255 — CVSS 6.8 (medium): Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/record_company.php, which allows remote…
CVE-2008-6986 — CVSS 6.8 (medium): SQL injection vulnerability in the actionMultipleAddProduct function in includes/classes/shopping_cart.php in Zen Cart 1.3.0 through…
CVE-2008-6985 — CVSS 6.8 (medium): Multiple SQL injection vulnerabilities in includes/classes/shopping_cart.php in Zen Cart 1.2.0 through 1.3.8a, when magic_quotes_gpc is…
CVE-2020-6578 — CVSS 6.1 (medium): Zen Cart 1.5.6d allows reflected XSS via the main_page parameter to includes/templates/template_default/common/tpl_main_page.php or…
CVE-2017-8833 — CVSS 6.1 (medium): Zen Cart 1.6.0 has XSS in the main_page parameter to index.php. NOTE: 1.6.0 is not an official release but the vendor's README.md file…
CVE-2012-5808 — CVSS 5.8 (medium): The LinkPoint module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or…
CVE-2012-5805 — CVSS 5.8 (medium): The PayPal IPN functionality in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN)…
CVE-2012-5806 — CVSS 5.8 (medium): The PayPal Payments Pro module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN)…
CVE-2012-5807 — CVSS 5.8 (medium): The Authorize.Net eCheck module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name…
CVE-2011-4403 — CVSS 5.8 (medium): Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of…
CVE-2005-3996 — CVSS 5.1 (medium): SQL injection vulnerability in admin/password_forgotten.php in Zen Cart 1.2.6d and earlier allows remote attackers to execute arbitrary SQL…
CVE-2009-4321 — CVSS 5.0 (medium): extras/curltest.php in Zen Cart 1.3.8 and 1.3.8a, and possibly other versions, allows remote attackers to read arbitrary files via a…
CVE-2009-4322 — CVSS 5.0 (medium): extras/ipn_test_return.php in Zen Cart allows remote attackers to obtain sensitive information via a direct request, which reveals the…
CVE-2015-0882 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka Zen Cart Japanese edition) 1.3 jp through 1.3.0.2 jp8 and 1.5 ja…
CVE-2011-4547 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in includes/templates/template_default/common/tpl_header_test_info.php in Zen Cart…
CVE-2011-4567 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in includes/templates/template_default/templates/tpl_gv_send_default.php in Zen Cart before 1.5…
CVE-2008-6616 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in index.php in Zen Software Zen Cart 2008 allows remote attackers to inject arbitrary web script…
CVE-2012-1413 — CVSS 2.6 (low): Cross-site scripting (XSS) vulnerability in zc_install/includes/modules/pages/database_setup/header_php.php in Zen Cart 1.5.0 and earlier…