CVE-2009-4925

Name of the Vulnerable Software and Affected Versions Portale e-commerce Creasito version 1.3.16

Description The issue allows remote attackers to execute arbitrary SQL commands. This is possible via the username parameter to (1) "admin/checkuser.php" and (2) "checkuser.php" API endpoints when magic quotes gpc is disabled.

Recommendations For version 1.3.16, consider disabling the checkuser.php and admin/checkuser.php endpoints until a patch is available, or restrict access to these endpoints to minimize the risk of exploitation. Avoid using the username parameter in the affected API endpoints until the issue is resolved.