CVE-2014-5104

Name of the Vulnerable Software and Affected Versions ol-commerce version 2.1.1

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters in different PHP files, including the a country parameter in the "affiliate signup.php" file, the affiliate banner id parameter in the "affiliate show banner.php" file, the country parameter in the "create account.php" file, or the entry country id parameter in the "admin/create account.php" file.

Recommendations For ol-commerce version 2.1.1, consider restricting access to the vulnerable parameters a country, affiliate banner id, country, and entry country id in their respective PHP files until a patch is available. As a temporary workaround, avoid using these parameters in the affected API endpoints or files.