CVE-2006-4525

CubeCart < 3.0.12 - Cross-Site Scripting via Links Array

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-4525. PoCs published by GulfTech Security.

AI-analyzed exploit summary The writeup describes multiple vulnerabilities in CubeCart <= 3.0.12, including SQL injection via uninitialized arrays, XSS due to uninitialized arrays, and arbitrary file inclusion leading to potential RCE. Exploitation details and code snippets are provided for each vulnerability.

Description

Cross-site scripting (XSS) vulnerability in CubeCart 3.0.12 and earlier, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the links array.

Exploits (1)

exploitdb WRITEUP
by GulfTech Security · textwebappsphp
https://www.exploit-db.com/exploits/43840

The writeup describes multiple vulnerabilities in CubeCart <= 3.0.12, including SQL injection via uninitialized arrays, XSS due to uninitialized arrays, and arbitrary file inclusion leading to potential RCE. Exploitation details and code snippets are provided for each vulnerability.

Classification
Writeup 90%
Attack Type
Sqli | Xss | Rce
Complexity
Moderate
Reliability
Theoretical
Target: CubeCart <= 3.0.12
No auth needed
Prerequisites: register_globals enabled for XSS · magic_quotes_gpc disabled for file inclusion
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21659
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/19782
Various Sources x_refsource_confirm
http://cubecart.com/site/forums/index.php?showtopic=21540

Scores

EPSS 0.0338
EPSS Percentile 87.2%

Details

Status published
Products (1)
devellion/cubecart < 3.0.12
Published Sep 01, 2006
Tracked Since Feb 18, 2026