CVE-2014-3978

Name of the Vulnerable Software and Affected Versions TomatoCart version 1.1.8.6.1

Description The issue allows remote authenticated users to execute arbitrary SQL commands via the First Name and Last Name fields in a new address book contact. This can be achieved by injecting malicious SQL code into these fields.

Recommendations For TomatoCart version 1.1.8.6.1, consider validating and sanitizing user input for the First Name and Last Name fields to prevent SQL injection attacks. As a temporary workaround, restrict access to the address book contact functionality until a patch is available.