CVE-2008-3788

Name of the Vulnerable Software and Affected Versions PICTURESPRO Photo Cart version 3.9

Description The issue allows remote attackers to execute arbitrary SQL commands. This is possible due to multiple SQL injection vulnerabilities when magic quotes gpc is disabled. The vulnerable parameters are qtitle, qid, and qyear in the "search.php" endpoint, and email and password in the " login.php" endpoint.

Recommendations For PICTURESPRO Photo Cart version 3.9, consider disabling the magic quotes gpc option or restricting access to the "search.php" and " login.php" endpoints until a patch is available. As a temporary workaround, avoid using the qtitle, qid, qyear, email, and password parameters in the affected endpoints.