CubeCart before 6.1.13 has SQL Injection via the validate[] parameter of the "I forgot my Password!" feature.Referenceshttps://blog.ripstech.com/2018/cubecart-admin-authentication-bypass/
