Quick.Cart
Monthly
Quick.Cart version 6.7 stores user passwords in plaintext, allowing authenticated administrators to retrieve plaintext credentials through the user editing interface. This vulnerability poses a significant risk in multi-administrator environments where high-privileged users may abuse account access. No patch is currently available, and other versions may be similarly affected though unconfirmed.
Session fixation vulnerability in Quick.Cart allows attackers to set a user's session identifier before authentication. The session ID persists through login, enabling session hijacking of authenticated users.
Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. [CVSS 7.2 HIGH]
Quick.Cart is vulnerable to reflected XSS via the sSort parameter. An attacker can craft a malicious URL which, when opened, results in arbitrary JavaScript execution in the victim’s browser. [CVSS 6.1 MEDIUM]
Cross-site scripting (XSS) vulnerability in Open Solution Quick.Cms 5.0 and Quick.Cart 6.0, possibly as downloaded before December 19, 2012, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin.php.
Quick.Cart version 6.7 stores user passwords in plaintext, allowing authenticated administrators to retrieve plaintext credentials through the user editing interface. This vulnerability poses a significant risk in multi-administrator environments where high-privileged users may abuse account access. No patch is currently available, and other versions may be similarly affected though unconfirmed.
Session fixation vulnerability in Quick.Cart allows attackers to set a user's session identifier before authentication. The session ID persists through login, enabling session hijacking of authenticated users.
Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. [CVSS 7.2 HIGH]
Quick.Cart is vulnerable to reflected XSS via the sSort parameter. An attacker can craft a malicious URL which, when opened, results in arbitrary JavaScript execution in the victim’s browser. [CVSS 6.1 MEDIUM]
Cross-site scripting (XSS) vulnerability in Open Solution Quick.Cms 5.0 and Quick.Cart 6.0, possibly as downloaded before December 19, 2012, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin.php.