Approved changes feed: RSS · Atom

cpe:2.3:a:oscommerce:oscommerce:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorOscommerce (098fcb3a-981f-5eec-92bc-f7a3c45bbae2)
ProductOscommerce (f05e8607-2cd4-5ed2-8937-7df3644c7cce)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/oscommerce/oscommerce purl2cpe 2026-06-01 10:12:48.795621
pkg:github/oscommerce/oscommerce2 purl2cpe 2026-06-01 10:12:48.795625

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2025-40674 vulnerable 2026-06-08 07:25:05.361268 Reflected Cross-Site Scripting (XSS) in osCommerce
Reflected Cross-Site Scripting (XSS) in osCommerce v4. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the name of any parameter in /watch/en/about-us. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
Published: 2025-06-17T08:50:17.363Z
Updated: 2025-06-17T14:31:48.511Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-35212 vulnerable 2026-06-08 05:46:04.269981 Details available
osCommerce2 before v2.3.4.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the function tep_db_error().
Published: 2022-08-18T19:30:23.000Z
Updated: 2024-08-03T09:29:17.471Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2019-25497 vulnerable 2026-06-08 05:13:42.447197 osCommerce 2.3.4.1 SQL Injection via currency Parameter
HIGH (8.2)
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. Attackers can send GET requests to shopping_cart.php with malicious currency values using boolean-based SQL injection payloads to extract sensitive database information.
Published: 2026-02-27T17:23:38.536Z
Updated: 2026-04-07T14:04:45.609Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2019-25496 vulnerable 2026-06-08 05:13:42.446819 osCommerce 2.3.4.1 SQL Injection via products_id Parameter
HIGH (8.2)
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the products_id parameter. Attackers can modify the products_id value in product_info.php requests and append boolean-based SQL injection payloads to extract sensitive database information.
Published: 2026-02-27T17:23:37.732Z
Updated: 2026-04-07T14:04:44.882Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2019-25495 vulnerable 2026-06-08 05:13:42.444804 osCommerce 2.3.4.1 SQL Injection via reviews_id Parameter
HIGH (8.2)
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviews_id parameter. Attackers can send GET requests to product_reviews_write.php with malicious reviews_id values using boolean-based SQL injection payloads to extract sensitive database information.
Published: 2026-02-27T17:23:36.955Z
Updated: 2026-04-07T14:04:44.088Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2015-2965 vulnerable 2026-06-08 05:06:36.313512 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2009-20006 vulnerable 2026-06-08 04:51:26.055885 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2006-5190 vulnerable 2026-06-08 04:49:19.918169 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2003-1219 vulnerable 2026-06-08 04:47:23.696292 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.