Laosiji

**Name of the Vulnerable Software and Affected Versions** Campcodes Retro Basketball Shoes Online Store version 1.0 **Description** A SQL injection issue exists in Campcodes Retro Basketball Shoes Online Store version 1.0. The issue is related to the manipulation of the `tid` parameter within an unknown function of the `/admin/receipt.php` file. This allows for remote execution of attacks. The exploit is publicly available. The vulnerability impacts the admin interface, which is frequently targeted by credential stuffing attempts. This issue falls within the scope of PCI DSS due to the potential exposure of payment card data, Personally Identifiable Information (PII), and order history. Access to payment data could necessitate forensic investigation and card reissuance. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Campcodes Retro Basketball Shoes Online Store version 1.0 **Description** A flaw exists that allows for unrestricted file uploads. This is possible through manipulation of the `product image` argument in the `/admin/admin football.php` file. The attack can be carried out remotely. The exploit has been publicly released. **Recommendations** Apply any available updates to address the unrestricted file upload issue in the `/admin/admin football.php` file. As a temporary workaround, restrict access to the `/admin/admin football.php` file to authorized personnel only. Avoid uploading untrusted files through the `product image` argument.

**Name of the Vulnerable Software and Affected Versions** Campcodes Retro Basketball Shoes Online Store version 1.0 **Description** A cross site scripting issue exists in Campcodes Retro Basketball Shoes Online Store version 1.0. Manipulation of the `product name` argument in the `/admin/admin running.php` file can lead to exploitation. The exploit has been publicly disclosed and may be utilized. **Recommendations** Apply any available updates to address the issue in the affected file `/admin/admin running.php`. As a temporary workaround, sanitize the `product name` input to prevent the injection of malicious scripts.