V6
Monthly
Authenticated remote code execution in CubeCart v6 prior to 6.7.3 allows an admin with documents-edit permission to embed raw PHP into the Invoice Editor template, which is later written to a predictable files/print.<md5>.php path that the bundled .htaccess explicitly exposes to unauthenticated visitors. SSVC rates technical impact as total and a POC exists, though EPSS remains very low (0.04%) and the issue is not on CISA KEV - no public exploit identified at time of analysis beyond researcher disclosure.
Account and store takeover in CubeCart 6.6.x through 6.7.1 is possible because the CC_STORE_URL constant is derived from the unvalidated Host header at bootstrap and embedded into password-reset emails. A remote unauthenticated attacker who knows a victim's email address can trigger a host-header poisoning attack that emails the user a reset link pointing at attacker-controlled infrastructure, capturing a valid 3,600-second token on click. SSVC reports a public POC and total technical impact, while EPSS remains low (0.03%) and no public exploit is identified as in-the-wild.
Authenticated server-side template injection in CubeCart v6 prior to 6.7.0 allows administrative users to achieve remote code execution by injecting Smarty template syntax into multiple admin-facing modules including Email Templates, Invoices, Documents, and Contact Forms. The flaw stems from evaluating user-supplied content through the Smarty engine without enabling Smarty Security Policies, granting OS-level command execution on the underlying server. Currently no public exploit identified at time of analysis, EPSS is very low at 0.04%, and the issue is not on CISA KEV.
SQL injection in CubeCart v6 prior to 6.7.0 allows an authenticated administrator to execute arbitrary SQL against the store database via the unsanitized ORDER BY clause on the admin transactions listing page. The admin.php orders-transactions endpoint passes attacker-controlled GET parameters directly into a raw SQL fragment, bypassing the platform's sqlSafe() function which only escapes quote characters - none of which are required for ORDER BY injection. An attacker with at minimum CC_PERM_READ permission on orders can leverage time-based blind SQL injection to extract admin password hashes, customer PII, and integrated payment-gateway credentials. No public exploit identified at time of analysis, though SSVC data indicates POC code exists; the EPSS score of 0.03% (9th percentile) reflects limited observed exploitation interest.
Remote code execution in CubeCart v6 prior to 6.7.0 allows API key holders with files:rw permission to upload PHP webshells via the POST /api/v1/files REST endpoint. A path-traversal flaw in the filepath parameter lets attackers write executable files anywhere the webserver can write, including the document root, achieving full server takeover. No public exploit identified at time of analysis, though SSVC notes a POC and EPSS sits at 0.19% (40th percentile).
Reflected XSS in CubeCart v6 (prior to 6.7.0) enables unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted search URL that triggers a specific single-result code path in the search feature. The flaw exists in classes/catalogue.class.php where the searchCatalogue() method reflects the raw $_REQUEST['search']['keywords'] parameter in a notification message without sanitization - but only when the search returns exactly one product, bypassing all other input filters. A working exploit is publicly available on Exploit-DB (52588), though no public exploit identified at time of analysis places this in CISA KEV, and EPSS remains low at 0.03%.
Stored Cross-Site Scripting in CubeCart v6.x (prior to 6.6.0) allows an authenticated administrator to inject persistent malicious JavaScript into product creation or modification fields, which then executes in the browsers of any user - customer or fellow administrator - who views the affected product pages. The attack requires high-privilege access (PR:H) and victim interaction (UI:R), limiting its realistic threat surface to compromised or malicious admin accounts. No public exploit identified at time of analysis via KEV, though SSVC data indicates proof-of-concept code exists; EPSS stands at 0.03% (8th percentile), reflecting low observed exploitation pressure.
Authenticated SQL injection in CubeCart v6.x prior to 6.6.0 allows administrative users to execute arbitrary SQL commands through unsanitized sorting parameters on Products and Logs endpoints. Per SSVC, a proof-of-concept exists but the vulnerability is not in CISA KEV, and EPSS scoring (0.03%) reflects very low predicted exploitation activity due to the high-privilege prerequisite.
Authenticated server-side template injection in CubeCart v6 before 6.7.0 lets administrators escape the Smarty template sandbox and invoke native PHP functions through modules such as Email Templates and Documents. Attackers can call readgzfile() to exfiltrate configuration secrets and error_log() with message_type=3 to drop a PHP webshell, yielding full remote code execution. No public exploit identified at time of analysis, but a SSVC 'poc' status and an upstream commit hardening the Smarty allowlist indicate the technique is documented.
Authenticated remote code execution in CubeCart v6 prior to 6.7.3 allows an admin with documents-edit permission to embed raw PHP into the Invoice Editor template, which is later written to a predictable files/print.<md5>.php path that the bundled .htaccess explicitly exposes to unauthenticated visitors. SSVC rates technical impact as total and a POC exists, though EPSS remains very low (0.04%) and the issue is not on CISA KEV - no public exploit identified at time of analysis beyond researcher disclosure.
Account and store takeover in CubeCart 6.6.x through 6.7.1 is possible because the CC_STORE_URL constant is derived from the unvalidated Host header at bootstrap and embedded into password-reset emails. A remote unauthenticated attacker who knows a victim's email address can trigger a host-header poisoning attack that emails the user a reset link pointing at attacker-controlled infrastructure, capturing a valid 3,600-second token on click. SSVC reports a public POC and total technical impact, while EPSS remains low (0.03%) and no public exploit is identified as in-the-wild.
Authenticated server-side template injection in CubeCart v6 prior to 6.7.0 allows administrative users to achieve remote code execution by injecting Smarty template syntax into multiple admin-facing modules including Email Templates, Invoices, Documents, and Contact Forms. The flaw stems from evaluating user-supplied content through the Smarty engine without enabling Smarty Security Policies, granting OS-level command execution on the underlying server. Currently no public exploit identified at time of analysis, EPSS is very low at 0.04%, and the issue is not on CISA KEV.
SQL injection in CubeCart v6 prior to 6.7.0 allows an authenticated administrator to execute arbitrary SQL against the store database via the unsanitized ORDER BY clause on the admin transactions listing page. The admin.php orders-transactions endpoint passes attacker-controlled GET parameters directly into a raw SQL fragment, bypassing the platform's sqlSafe() function which only escapes quote characters - none of which are required for ORDER BY injection. An attacker with at minimum CC_PERM_READ permission on orders can leverage time-based blind SQL injection to extract admin password hashes, customer PII, and integrated payment-gateway credentials. No public exploit identified at time of analysis, though SSVC data indicates POC code exists; the EPSS score of 0.03% (9th percentile) reflects limited observed exploitation interest.
Remote code execution in CubeCart v6 prior to 6.7.0 allows API key holders with files:rw permission to upload PHP webshells via the POST /api/v1/files REST endpoint. A path-traversal flaw in the filepath parameter lets attackers write executable files anywhere the webserver can write, including the document root, achieving full server takeover. No public exploit identified at time of analysis, though SSVC notes a POC and EPSS sits at 0.19% (40th percentile).
Reflected XSS in CubeCart v6 (prior to 6.7.0) enables unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted search URL that triggers a specific single-result code path in the search feature. The flaw exists in classes/catalogue.class.php where the searchCatalogue() method reflects the raw $_REQUEST['search']['keywords'] parameter in a notification message without sanitization - but only when the search returns exactly one product, bypassing all other input filters. A working exploit is publicly available on Exploit-DB (52588), though no public exploit identified at time of analysis places this in CISA KEV, and EPSS remains low at 0.03%.
Stored Cross-Site Scripting in CubeCart v6.x (prior to 6.6.0) allows an authenticated administrator to inject persistent malicious JavaScript into product creation or modification fields, which then executes in the browsers of any user - customer or fellow administrator - who views the affected product pages. The attack requires high-privilege access (PR:H) and victim interaction (UI:R), limiting its realistic threat surface to compromised or malicious admin accounts. No public exploit identified at time of analysis via KEV, though SSVC data indicates proof-of-concept code exists; EPSS stands at 0.03% (8th percentile), reflecting low observed exploitation pressure.
Authenticated SQL injection in CubeCart v6.x prior to 6.6.0 allows administrative users to execute arbitrary SQL commands through unsanitized sorting parameters on Products and Logs endpoints. Per SSVC, a proof-of-concept exists but the vulnerability is not in CISA KEV, and EPSS scoring (0.03%) reflects very low predicted exploitation activity due to the high-privilege prerequisite.
Authenticated server-side template injection in CubeCart v6 before 6.7.0 lets administrators escape the Smarty template sandbox and invoke native PHP functions through modules such as Email Templates and Documents. Attackers can call readgzfile() to exfiltrate configuration secrets and error_log() with message_type=3 to drop a PHP webshell, yielding full remote code execution. No public exploit identified at time of analysis, but a SSVC 'poc' status and an upstream commit hardening the Smarty allowlist indicate the technique is documented.