PT-2005-4931 · Quickpaypro · Quickpaypro
Publicado
2005-12-15
·
Atualizado
2011-03-08
·
CVE-2005-4243
CVSS v2.0
7.5
Alta
| Vetor | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
QuickPayPro version 3.1
Description
The issue allows remote attackers to execute arbitrary SQL commands. This is achieved through SQL injection vulnerabilities in various parameters, including the
popupid parameter in "popups.edit.php", so, sb, and nr parameters in "customer.tickets.view.php", subrackingid parameter in "subscribers.tracking.edit.php", delete parameter in "design.php", trackingid parameter in "tracking.details.php", and customerid parameter in "sales.view.php".Recommendations
For QuickPayPro version 3.1, consider restricting access to the affected parameters, such as
popupid, so, sb, nr, subrackingid, delete, trackingid, and customerid, until a patch is available. As a temporary workaround, avoid using these parameters in the respective API endpoints.Exploit
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Quickpaypro