osCommerce Online Merchant 2.3.4.1
Approved changes feed: RSS · Atom
cpe:2.3:a:oscommerce:online_merchant:2.3.4.1:*:*:*:*:*:*:*
part: a version: 2.3.4.1 update: *
| Vendor | Oscommerce (098fcb3a-981f-5eec-92bc-f7a3c45bbae2) |
|---|---|
| Product | Online Merchant (e01c5edd-bf02-507b-80cc-a85ee5ddbfba) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/oscommerce/oscommerce |
purl2cpe | 2026-06-01 10:12:48.813266 |
pkg:github/oscommerce/oscommerce2 |
purl2cpe | 2026-06-01 10:12:48.813267 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2018-25114 |
vulnerable | 2026-06-08 05:11:29.394723 |
osCommerce 2.3.4.1 Installer Unauthenticated Configuration File Injection PHP Code Execution
A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can invoke install_4.php, submit crafted POST data, and inject arbitrary PHP code into the configure.php file. When the application later includes this file, the injected payload is executed, resulting in full server-side compromise.
Published: 2025-07-23T13:50:09.708Z
Updated: 2026-04-07T14:03:44.222Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-18966 |
vulnerable | 2026-06-08 05:11:15.029603 |
Details available
osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. The .htaccess file in catalog/images/ bans the html extension, but Internet Explorer render HTML elements in a .eml file.
Published: 2018-11-06T04:00:00.000Z
Updated: 2024-08-05T11:23:08.581Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-18965 |
vulnerable | 2026-06-08 05:11:15.029189 |
Details available
osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. The .htaccess file in catalog/images/ bans the html extension, but there are several alternative cases in which HTML can be executed, such as a file with no extension or an unrecognized extension (e.g., the test or test.asdf filename).
Published: 2018-11-06T04:00:00.000Z
Updated: 2024-08-05T11:23:08.923Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-18964 |
vulnerable | 2026-06-08 05:11:15.028615 |
Details available
osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. The .htaccess file in catalog/images/ bans the html extension, but there are several extensions in which contained HTML can be executed, such as the svg extension.
Published: 2018-11-06T04:00:00.000Z
Updated: 2024-08-05T11:23:08.572Z Reference links |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.