CVE-2014-5140

Name of the Vulnerable Software and Affected Versions Loaded Commerce version 7

Description The issue concerns the bindReplace function in the query factory, which fails to properly handle colon characters. This allows remote authenticated users to conduct SQL injection attacks through the First name and Last name fields in the address book.

Recommendations For Loaded Commerce version 7, consider restricting access to the address book fields until a proper fix is applied, and ensure that user input is thoroughly sanitized to prevent SQL injection attacks. As a temporary workaround, consider disabling the bindReplace function in the query factory until a patch is available.