CVE-2014-8305

Cart Engine < 3.0 - Open Redirect via HTTP Referer Header

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-8305.

AI-analyzed exploit summary The provided exploit code demonstrates multiple vulnerabilities in Cart Engine 3.0, including SQL injection via unsanitized 'item_id' parameters, reflected XSS through unneutralized output, and open redirect via untrusted HTTP Referer header. The PoC includes detailed HTTP requests for each vulnerability type.

Description

Open redirect vulnerability in the redir function in includes/function.php in C97net Cart Engine before 4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header to (1) index.php, (2) cart.php, (3) msg.php, or (4) page.php.

Exploits (1)

exploitdb WORKING POC
webappsphp
https://www.exploit-db.com/exploits/34764

The provided exploit code demonstrates multiple vulnerabilities in Cart Engine 3.0, including SQL injection via unsanitized 'item_id' parameters, reflected XSS through unneutralized output, and open redirect via untrusted HTTP Referer header. The PoC includes detailed HTTP requests for each vulnerability type.

Classification
Working Poc 95%
Attack Type
Sqli | Xss | Other
Complexity
Moderate
Reliability
Reliable
Target: Cart Engine 3.0
No auth needed
Prerequisites: Access to the target web application · Ability to send crafted HTTP requests
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Scores

EPSS 0.0492
EPSS Percentile 91.0%

Details

Status published
Products (1)
c97/cart_engine < 3.0
Published Oct 16, 2014
Tracked Since Feb 18, 2026