Modified Ecommerce · Modified Ecommerce Shopsoftware · CVE-2016-3694
**Name of the Vulnerable Software and Affected Versions**
modified eCommerce Shopsoftware version 2.0.0.0 revision 9678
**Description**
The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `orders status` or `customers status` parameter to the "api/easybill/easybillcsv.php" endpoint.
**Recommendations**
For modified eCommerce Shopsoftware version 2.0.0.0 revision 9678, consider restricting access to the "api/easybill/easybillcsv.php" endpoint until a patch is available. As a temporary workaround, avoid using the `orders status` and `customers status` parameters in this endpoint to minimize the risk of exploitation.