Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
7 vulnerabilities by SPA-Cart
CVE-2024-58304 (GCVE-0-2024-58304)
Vulnerability from cvelistv5 – Published: 2025-12-11 21:40 – Updated: 2026-04-07 14:08
VLAI
Title
SPA-CART CMS 1.9.0.3 Stored Cross-Site Scripting
Summary
SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the 'descr' parameter in the product edit form to execute arbitrary code in administrative users' browsers.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/51919 | exploit |
| https://www.vulncheck.com/advisories/spa-cart-cms… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SPA-Cart | SPA-CART CMS |
Affected:
1.9.0.3
|
Date Public
2024-03-25 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-58304",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T21:41:53.701886Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T20:39:03.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SPA-CART CMS",
"vendor": "SPA-Cart",
"versions": [
{
"status": "affected",
"version": "1.9.0.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eren Sen"
}
],
"datePublic": "2024-03-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the \u0027descr\u0027 parameter in the product edit form to execute arbitrary code in administrative users\u0027 browsers.\u003c/p\u003e"
}
],
"value": "SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the \u0027descr\u0027 parameter in the product edit form to execute arbitrary code in administrative users\u0027 browsers."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:08:47.958Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-51919",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/51919"
},
{
"name": "VulnCheck Advisory: SPA-CART CMS 1.9.0.3 Stored Cross-Site Scripting via Product Description",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/spa-cart-cms-stored-cross-site-scripting-via-product-description"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SPA-CART CMS 1.9.0.3 Stored Cross-Site Scripting",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2024-58304",
"datePublished": "2025-12-11T21:40:42.224Z",
"dateReserved": "2025-12-11T11:49:20.718Z",
"dateUpdated": "2026-04-07T14:08:47.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-6129 (GCVE-0-2024-6129)
Vulnerability from cvelistv5 – Published: 2024-06-18 21:00 – Updated: 2024-08-19 18:08
VLAI
Title
spa-cartcms Username login observable behavioral discrepancy
Summary
A vulnerability, which was classified as problematic, was found in spa-cartcms 1.9.0.6. Affected is an unknown function of the file /login of the component Username Handler. The manipulation of the argument email leads to observable behavioral discrepancy. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268896.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-205 - Observable Behavioral Discrepancy
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.268896 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.268896 | signaturepermissions-required |
| https://seclists.org/fulldisclosure/2024/Jun/6 | mailing-list |
| https://msecureltd.blogspot.com/2024/04/friday-fu… | exploit |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | spa-cartcms |
Affected:
1.9.0.6
|
|
| spa-cart | spa-cart |
Affected:
1.9.0.6
cpe:2.3:a:spa-cart:spa-cart:1.9.0.6:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:33:05.155Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VDB-268896 | spa-cartcms Username login observable behavioral discrepancy",
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.268896"
},
{
"name": "VDB-268896 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.268896"
},
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2024/Jun/6"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://msecureltd.blogspot.com/2024/04/friday-fun-pentest-series-5-spa.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:spa-cart:spa-cart:1.9.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "spa-cart",
"vendor": "spa-cart",
"versions": [
{
"status": "affected",
"version": "1.9.0.6"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6129",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-19T18:03:02.695390Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T18:08:42.112Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Username Handler"
],
"product": "spa-cartcms",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "1.9.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, was found in spa-cartcms 1.9.0.6. Affected is an unknown function of the file /login of the component Username Handler. The manipulation of the argument email leads to observable behavioral discrepancy. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268896."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in spa-cartcms 1.9.0.6 gefunden. Sie wurde als problematisch eingestuft. Hiervon betroffen ist ein unbekannter Codeblock der Datei /login der Komponente Username Handler. Dank Manipulation des Arguments email mit unbekannten Daten kann eine observable behavioral discrepancy-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie gilt als schwierig auszunutzen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-205",
"description": "CWE-205 Observable Behavioral Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-18T21:00:08.822Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-268896 | spa-cartcms Username login observable behavioral discrepancy",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.268896"
},
{
"name": "VDB-268896 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.268896"
},
{
"tags": [
"mailing-list"
],
"url": "https://seclists.org/fulldisclosure/2024/Jun/6"
},
{
"tags": [
"exploit"
],
"url": "https://msecureltd.blogspot.com/2024/04/friday-fun-pentest-series-5-spa.html"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-18T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-06-18T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-06-18T18:27:34.000Z",
"value": "VulDB entry last update"
}
],
"title": "spa-cartcms Username login observable behavioral discrepancy"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-6129",
"datePublished": "2024-06-18T21:00:08.822Z",
"dateReserved": "2024-06-18T16:21:36.853Z",
"dateUpdated": "2024-08-19T18:08:42.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6128 (GCVE-0-2024-6128)
Vulnerability from cvelistv5 – Published: 2024-06-18 21:00 – Updated: 2024-08-01 21:33
VLAI
Title
spa-cartcms Checkout Page checkout behavioral workflow
Summary
A vulnerability, which was classified as problematic, has been found in spa-cartcms 1.9.0.6. This issue affects some unknown processing of the file /checkout of the component Checkout Page. The manipulation of the argument quantity with the input -10 leads to enforcement of behavioral workflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268895.
Severity
5.3 (Medium)
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-841 - Enforcement of Behavioral Workflow
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.268895 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.268895 | signaturepermissions-required |
| https://seclists.org/fulldisclosure/2024/Jun/6 | mailing-list |
| https://msecureltd.blogspot.com/2024/04/friday-fu… | exploit |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | spa-cartcms |
Affected:
1.9.0.6
|
|
| spa-cart | spa-cart |
Affected:
1.9.0.6
cpe:2.3:a:spa-cart:spa-cart:1.9.0.6:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:spa-cart:spa-cart:1.9.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "spa-cart",
"vendor": "spa-cart",
"versions": [
{
"status": "affected",
"version": "1.9.0.6"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6128",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-21T15:48:24.990503Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T15:54:04.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:33:05.032Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VDB-268895 | spa-cartcms Checkout Page checkout behavioral workflow",
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.268895"
},
{
"name": "VDB-268895 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.268895"
},
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2024/Jun/6"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://msecureltd.blogspot.com/2024/04/friday-fun-pentest-series-5-spa.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"Checkout Page"
],
"product": "spa-cartcms",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "1.9.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, has been found in spa-cartcms 1.9.0.6. This issue affects some unknown processing of the file /checkout of the component Checkout Page. The manipulation of the argument quantity with the input -10 leads to enforcement of behavioral workflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268895."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in spa-cartcms 1.9.0.6 entdeckt. Sie wurde als problematisch eingestuft. Davon betroffen ist unbekannter Code der Datei /checkout der Komponente Checkout Page. Dank der Manipulation des Arguments quantity mit der Eingabe -10 mit unbekannten Daten kann eine enforcement of behavioral workflow-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-841",
"description": "CWE-841 Enforcement of Behavioral Workflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-18T21:00:06.633Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-268895 | spa-cartcms Checkout Page checkout behavioral workflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.268895"
},
{
"name": "VDB-268895 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.268895"
},
{
"tags": [
"mailing-list"
],
"url": "https://seclists.org/fulldisclosure/2024/Jun/6"
},
{
"tags": [
"exploit"
],
"url": "https://msecureltd.blogspot.com/2024/04/friday-fun-pentest-series-5-spa.html"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-18T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-06-18T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-06-18T18:27:32.000Z",
"value": "VulDB entry last update"
}
],
"title": "spa-cartcms Checkout Page checkout behavioral workflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-6128",
"datePublished": "2024-06-18T21:00:06.633Z",
"dateReserved": "2024-06-18T16:21:34.412Z",
"dateUpdated": "2024-08-01T21:33:05.032Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43148 (GCVE-0-2023-43148)
Vulnerability from cvelistv5 – Published: 2023-10-12 00:00 – Updated: 2024-09-18 15:48
VLAI
Summary
SPA-Cart 1.9.0.3 has a Cross Site Request Forgery (CSRF) vulnerability that allows a remote attacker to delete all accounts.
Severity
No CVSS data available.
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:37:23.399Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/MinoTauro2020/CVE-2023-43148"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43148",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T15:48:35.207265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T15:48:43.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SPA-Cart 1.9.0.3 has a Cross Site Request Forgery (CSRF) vulnerability that allows a remote attacker to delete all accounts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-12T18:07:39.920Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/MinoTauro2020/CVE-2023-43148"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-43148",
"datePublished": "2023-10-12T00:00:00.000Z",
"dateReserved": "2023-09-18T00:00:00.000Z",
"dateUpdated": "2024-09-18T15:48:43.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43149 (GCVE-0-2023-43149)
Vulnerability from cvelistv5 – Published: 2023-10-12 00:00 – Updated: 2024-09-18 15:46
VLAI
Summary
SPA-Cart 1.9.0.3 is vulnerable to Cross Site Request Forgery (CSRF) that allows a remote attacker to add an admin user with role status.
Severity
No CVSS data available.
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:37:23.595Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/MinoTauro2020/CVE-2023-43149"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43149",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T15:46:45.967052Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T15:46:54.077Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SPA-Cart 1.9.0.3 is vulnerable to Cross Site Request Forgery (CSRF) that allows a remote attacker to add an admin user with role status."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-12T17:15:02.814Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/MinoTauro2020/CVE-2023-43149"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-43149",
"datePublished": "2023-10-12T00:00:00.000Z",
"dateReserved": "2023-09-18T00:00:00.000Z",
"dateUpdated": "2024-09-18T15:46:54.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4548 (GCVE-0-2023-4548)
Vulnerability from cvelistv5 – Published: 2023-08-26 09:31 – Updated: 2024-08-02 07:31
VLAI
Title
SPA-Cart eCommerce CMS GET Parameter search sql injection
Summary
A vulnerability classified as critical has been found in SPA-Cart eCommerce CMS 1.9.0.3. This affects an unknown part of the file /search of the component GET Parameter Handler. The manipulation of the argument filter[brandid] leads to sql injection. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-238059.
Severity
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-89 - SQL Injection
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.238059 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.238059 | signaturepermissions-required |
| http://packetstormsecurity.com/files/174344/SPA-C… | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SPA-Cart | eCommerce CMS |
Affected:
1.9.0.3
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:06.304Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.238059"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.238059"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/174344/SPA-Cart-eCommerce-CMS-1.9.0.3-SQL-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"GET Parameter Handler"
],
"product": "eCommerce CMS",
"vendor": "SPA-Cart",
"versions": [
{
"status": "affected",
"version": "1.9.0.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "skalvin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical has been found in SPA-Cart eCommerce CMS 1.9.0.3. This affects an unknown part of the file /search of the component GET Parameter Handler. The manipulation of the argument filter[brandid] leads to sql injection. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-238059."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in SPA-Cart eCommerce CMS 1.9.0.3 entdeckt. Sie wurde als kritisch eingestuft. Betroffen hiervon ist ein unbekannter Ablauf der Datei /search der Komponente GET Parameter Handler. Durch Manipulieren des Arguments filter[brandid] mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T14:56:14.347Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.238059"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.238059"
},
{
"tags": [
"related"
],
"url": "http://packetstormsecurity.com/files/174344/SPA-Cart-eCommerce-CMS-1.9.0.3-SQL-Injection.html"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-08-25T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-08-25T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-08-25T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-09-20T14:18:35.000Z",
"value": "VulDB entry last update"
}
],
"title": "SPA-Cart eCommerce CMS GET Parameter search sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-4548",
"datePublished": "2023-08-26T09:31:04.647Z",
"dateReserved": "2023-08-25T15:40:14.364Z",
"dateUpdated": "2024-08-02T07:31:06.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4547 (GCVE-0-2023-4547)
Vulnerability from cvelistv5 – Published: 2023-08-26 09:00 – Updated: 2024-08-02 07:31
VLAI
Title
SPA-Cart eCommerce CMS search cross site scripting
Summary
A vulnerability was found in SPA-Cart eCommerce CMS 1.9.0.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /search. The manipulation of the argument filter[brandid]/filter[price] leads to cross site scripting. The attack may be launched remotely. VDB-238058 is the identifier assigned to this vulnerability.
Severity
CWE
- CWE-79 - Cross Site Scripting
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.238058 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.238058 | signaturepermissions-required |
| http://packetstormsecurity.com/files/174343/SPA-C… | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SPA-Cart | eCommerce CMS |
Affected:
1.9.0.3
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:06.445Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.238058"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.238058"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/174343/SPA-Cart-eCommerce-CMS-1.9.0.3-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "eCommerce CMS",
"vendor": "SPA-Cart",
"versions": [
{
"status": "affected",
"version": "1.9.0.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "skalvin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in SPA-Cart eCommerce CMS 1.9.0.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /search. The manipulation of the argument filter[brandid]/filter[price] leads to cross site scripting. The attack may be launched remotely. VDB-238058 is the identifier assigned to this vulnerability."
},
{
"lang": "de",
"value": "Eine problematische Schwachstelle wurde in SPA-Cart eCommerce CMS 1.9.0.3 ausgemacht. Betroffen davon ist ein unbekannter Prozess der Datei /search. Durch das Manipulieren des Arguments filter[brandid]/filter[price] mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T14:55:01.211Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.238058"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.238058"
},
{
"tags": [
"related"
],
"url": "http://packetstormsecurity.com/files/174343/SPA-Cart-eCommerce-CMS-1.9.0.3-Cross-Site-Scripting.html"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-08-25T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-08-25T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-08-25T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-09-20T14:15:37.000Z",
"value": "VulDB entry last update"
}
],
"title": "SPA-Cart eCommerce CMS search cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-4547",
"datePublished": "2023-08-26T09:00:06.615Z",
"dateReserved": "2023-08-25T15:40:12.274Z",
"dateUpdated": "2024-08-02T07:31:06.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}