GCVE - cpe:2.3:a:oscommerce:online_merchant:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:oscommerce:online_merchant:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Oscommerce (`098fcb3a-981f-5eec-92bc-f7a3c45bbae2`)
Product	Online Merchant (`e01c5edd-bf02-507b-80cc-a85ee5ddbfba`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/oscommerce/oscommerce`	purl2cpe	2026-06-01 10:12:48.813233
`pkg:github/oscommerce/oscommerce2`	purl2cpe	2026-06-01 10:12:48.813236

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2018-25114`	vulnerable	2026-06-08 05:11:29.394010	osCommerce 2.3.4.1 Installer Unauthenticated Configuration File Injection PHP Code Execution A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can invoke install_4.php, submit crafted POST data, and inject arbitrary PHP code into the configure.php file. When the application later includes this file, the injected payload is executed, resulting in full server-side compromise. Published: 2025-07-23T13:50:09.708Z Updated: 2026-04-07T14:03:44.222Z Open on db.gcve.eu Reference links https://www.exploit-db.com/exploits/44374 https://www.oscommerce.com/ https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/oscommerce_installer_unauth_code_exec.rb https://www.vulncheck.com/advisories/oscommerce-installer-unauth-config-file-injection-php-code-execution	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-10033`	vulnerable	2026-06-08 05:05:15.487258	Details available SQL injection vulnerability in the update_zone function in catalog/admin/geo_zones.php in osCommerce Online Merchant 2.3.3.4 and earlier allows remote administrators to execute arbitrary SQL commands via the zID parameter in a list action. Published: 2015-01-13T15:00:00.000Z Updated: 2024-08-06T14:02:38.054Z Open on db.gcve.eu Reference links http://www.exploit-db.com/exploits/31515 https://github.com/gburton/oscommerce2/commit/e4d90eccd7d9072ebe78da4c38fb048bfe31c902 http://www.secgeek.net/oscommerce-v2x-sql-injection-vulnerability/ https://exchange.xforce.ibmcloud.com/vulnerabilities/91113 http://osvdb.org/show/osvdb/103365	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-2991`	vulnerable	2026-06-08 05:02:07.563271	Details available The PayPal (aka MODULE_PAYMENT_PAYPAL_STANDARD) module before 1.1 in osCommerce Online Merchant before 2.3.4 allows remote attackers to set the payment recipient via a modified value of the merchant's e-mail address, as demonstrated by setting the recipient to one's self. Published: 2012-09-19T19:00:00.000Z Updated: 2024-08-06T19:50:05.382Z Open on db.gcve.eu Reference links http://www.kb.cert.org/vuls/id/459446 http://secunia.com/advisories/50640	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-2935`	vulnerable	2026-06-08 05:02:07.290654	Details available Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Shop/Application/Checkout/pages/main.php in OSCommerce Online Merchant 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the value_title parameter, a different vulnerability than CVE-2012-1059. Published: 2012-05-27T19:00:00.000Z Updated: 2024-08-06T19:50:05.106Z Open on db.gcve.eu Reference links https://exchange.xforce.ibmcloud.com/vulnerabilities/75900 https://github.com/osCommerce/oscommerce/commit/a5aeb0448cc333cc4b801c0e01981b218fd9c7df	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1792`	vulnerable	2026-06-08 05:00:50.960977	Details available Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Setup/Application/Install/RPC/DBCheck.php in OSCommerce Online Merchant 3.0.2, when the software is being installed, allows remote attackers to inject arbitrary web script or HTML via the name parameter to oscommerce/index.php, which is not properly handled in an error message. NOTE: this might not be a vulnerability, since the ability to access oscommerce/index.php during installation may already imply administrator privileges. Published: 2012-05-27T19:00:00.000Z Updated: 2024-09-16T22:25:24.576Z Open on db.gcve.eu Reference links https://www.trustwave.com/spiderlabs/advisories/TWSL2012-005.txt	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-0312`	vulnerable	2026-06-08 05:00:40.637747	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2008-4765`	not_vulnerable	2026-06-08 04:50:48.092908	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.