PT-2015-3677 · Oscommerce · Oscommerce Online Merchant

Publicado

2015-01-13

Atualizado

2017-09-08

CVE-2014-10033

CVSS v2.0

6.5

Média

Vetor

AV:N/AC:L/Au:S/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions osCommerce Online Merchant versions 2.3.3.4 and earlier

Description The issue allows remote administrators to execute arbitrary SQL commands. This is achieved via the zID parameter in a list action, specifically targeting the update zone function in catalog/admin/geo zones.php.

Recommendations For osCommerce Online Merchant versions 2.3.3.4 and earlier, consider restricting access to the update zone function in catalog/admin/geo zones.php to minimize the risk of exploitation. Avoid using the zID parameter in the affected list action until the issue is resolved.

Exploit

Correção

SQL injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-89

Identificadores relacionados

CVE-2014-10033

Produtos afetados

Oscommerce Online Merchant

PT-2015-3677 · Oscommerce · Oscommerce Online Merchant

CVE-2014-10033

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7