CVE-2005-3152

CubeCart 3.0.3 - Cross-Site Scripting via redir or searchStr Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2005-3152. PoCs published by Lostmon.

AI-analyzed exploit summary The exploit demonstrates XSS vulnerabilities in CubeCart by injecting arbitrary script code via unsanitized user input in the 'searchStr' and 'redir' parameters. The PoC includes example URLs that trigger JavaScript execution in the context of the affected site.

Description

Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.3 allow remote attackers to inject arbitrary web script or HTML via the redir parameter to (1) cart.php or (2) index.php, or (3) the searchStr parameter in a viewCat action to index.php. Note: vectors (1) and (2) were later reported to affect 3.0.7-pl1.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Lostmon · textwebappsphp
https://www.exploit-db.com/exploits/26303

The exploit demonstrates XSS vulnerabilities in CubeCart by injecting arbitrary script code via unsanitized user input in the 'searchStr' and 'redir' parameters. The PoC includes example URLs that trigger JavaScript execution in the context of the affected site.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: CubeCart 3.x
No auth needed
Prerequisites: Access to a vulnerable CubeCart instance
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Lostmon · textwebappsphp
https://www.exploit-db.com/exploits/26304

The provided text describes a cross-site scripting (XSS) vulnerability in CubeCart, with example URLs demonstrating how arbitrary script code can be executed in the context of the affected site. It does not contain executable exploit code but serves as a technical writeup.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: CubeCart (version not specified)
No auth needed
Prerequisites: Access to a vulnerable CubeCart installation · Ability to craft malicious URLs
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/24177
Various Sources x_refsource_confirm
http://bugs.cubecart.com/?do=details&id=363
Various Sources x_refsource_misc
http://bugs.cubecart.com/?do=details&id=459
Exploit vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1014984
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/35
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/14962

Scores

EPSS 0.0223
EPSS Percentile 80.5%

Details

Status published
Products (2)
devellion/cubecart 3.0.3
devellion/cubecart 3.0.7-pl1
Published Oct 05, 2005
Tracked Since Feb 18, 2026