Abantecart: >> Abantecart Security Vulnerabilities
SQL Injection vulnerability in AbanteCart 1.4.2, allows unauthenticated attackers to execute arbitrary SQL commands via the tmpl_id parameter to index.php. Three techniques have been demonstrated: error-based injection using a crafted FLOOR-based payload, time-based blind injection via SLEEP(), and UNION-based injection to extract arbitrary data.
CVSS Score
9.8
EPSS Score
0.002
Published
2025-08-27
Directory traversal vulnerability in AbanteCart version 1.4.2 allows unauthenticated attackers to gain access to sensitive system files via the template parameter to index.php.
CVSS Score
7.5
EPSS Score
0.008
Published
2025-08-26
Reflected Cross-Site Scripting (XSS) vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through "/about_us?[XSS_PAYLOAD]".
CVSS Score
6.1
EPSS Score
0.0
Published
2025-05-12
Reflected Cross-Site Scripting (XSS) vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through "/eyes?
[XSS_PAYLOAD]".
CVSS Score
6.1
EPSS Score
0.0
Published
2025-05-12
A SQL Injection vulnerability was discovered in AbanteCart 1.4.0 in the update() function in public_html/admin/controller/responses/listing_grid/collections.php. The vulnerability is exploitable via the id parameter.
CVSS Score
6.0
EPSS Score
0.002
Published
2024-10-31
A SQL Injection vulnerability was discovered in AbanteCart 1.4.0 in the update() function in public_html/admin/controller/responses/listing_grid/email_templates.php. The vulnerability is exploitable via the id parameter.
CVSS Score
6.0
EPSS Score
0.002
Published
2024-10-31
Abantecart through 1.3.2 allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Catalog>Media Manager>Images settings can be changed by an administrator (e.g., by configuring .php to be a valid image file type).
CVSS Score
7.2
EPSS Score
0.081
Published
2022-03-10
An issue was discovered in AbanteCart before 1.3.2. It allows DOM Based XSS.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-12-14
An issue was discovered in AbanteCart before 1.3.2. Any low-privileged user with file-upload permissions can upload a malicious SVG document that contains an XSS payload.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-12-14
AbanteCart 1.2.8 allows SQL Injection via the source_language parameter to admin/controller/pages/localisation/language.php and core/lib/language_manager.php, or via POST data to admin/controller/pages/tool/backup.php and admin/model/tool/backup.php.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-05-24
Page 1