GCVE - cpe:2.3:a:oscommerce:oscommerce:4.0:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:oscommerce:oscommerce:4.0:*:*:*:*:*:*:*

part: a version: 4.0 update: *

Vendor	Oscommerce (`098fcb3a-981f-5eec-92bc-f7a3c45bbae2`)
Product	Oscommerce (`f05e8607-2cd4-5ed2-8937-7df3644c7cce`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:github/oscommerce/oscommerce`	purl2cpe	2026-06-01 10:12:48.795781
`pkg:github/oscommerce/oscommerce2`	purl2cpe	2026-06-01 10:12:48.795782

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2024-22724`	vulnerable	2026-06-08 06:29:36.003012	Details available An issue was discovered in osCommerce v4, allows local attackers to bypass file upload restrictions and execute arbitrary code via administrator profile photo upload feature. Published: 2024-03-21T00:00:00.000Z Updated: 2024-08-06T14:32:24.651Z Open on db.gcve.eu Reference links https://medium.com/%40cupc4k3/oscommerce-v4-rce-unveiling-the-file-upload-bypass-threat-f1ac0097880c https://github.com/osCommerce/osCommerce-V4/issues/62	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-6609`	vulnerable	2026-06-08 06:21:55.095210	osCommerce all-products cross site scripting LOW (3.5) A vulnerability was found in osCommerce 4. It has been classified as problematic. This affects an unknown part of the file /b2b-supermarket/catalog/all-products. The manipulation of the argument keywords with the input %27%22%3E%3Cimg%2Fsrc%3D1+onerror%3Dalert%28document.cookie%29%3E leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247245 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Published: 2023-12-08T14:31:05.304Z Updated: 2024-08-02T08:35:14.822Z Open on db.gcve.eu Reference links https://vuldb.com/?id.247245 https://vuldb.com/?ctiid.247245	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-6579`	vulnerable	2026-06-08 06:21:54.971745	osCommerce POST Parameter shopping-cart sql injection HIGH (7.3) A vulnerability, which was classified as critical, has been found in osCommerce 4. Affected by this issue is some unknown functionality of the file /b2b-supermarket/shopping-cart of the component POST Parameter Handler. The manipulation of the argument estimate[country_id] leads to sql injection. The attack may be launched remotely. The identifier of this vulnerability is VDB-247160. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Published: 2023-12-07T21:31:04.204Z Updated: 2025-02-13T17:26:27.974Z Open on db.gcve.eu Reference links https://vuldb.com/?id.247160 https://vuldb.com/?ctiid.247160 http://packetstormsecurity.com/files/176124/osCommerce-4-SQL-Injection.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-6296`	vulnerable	2026-06-08 06:19:46.882934	osCommerce Instant Message compare cross site scripting MEDIUM (4.3) A vulnerability was found in osCommerce 4. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /catalog/compare of the component Instant Message Handler. The manipulation of the argument compare with the input 40dz4iq"><script>alert(1)</script>zohkx leads to cross site scripting. The attack may be launched remotely. VDB-246122 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Published: 2023-11-26T21:31:04.142Z Updated: 2025-02-13T17:26:16.997Z Open on db.gcve.eu Reference links https://vuldb.com/?id.246122 https://vuldb.com/?ctiid.246122 http://packetstormsecurity.com/files/175925/osCommerce-4-Cross-Site-Scripting.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-25497`	vulnerable	2026-06-08 05:13:42.447328	osCommerce 2.3.4.1 SQL Injection via currency Parameter HIGH (8.2) osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. Attackers can send GET requests to shopping_cart.php with malicious currency values using boolean-based SQL injection payloads to extract sensitive database information. Published: 2026-02-27T17:23:38.536Z Updated: 2026-04-07T14:04:45.609Z Open on db.gcve.eu Reference links https://www.exploit-db.com/exploits/46328 https://www.oscommerce.com https://www.vulncheck.com/advisories/oscommerce-sql-injection-via-currency-parameter	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-25496`	vulnerable	2026-06-08 05:13:42.446859	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-25495`	vulnerable	2026-06-08 05:13:42.445570	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.