CVE-2019-25496

Name of the Vulnerable Software and Affected Versions osCommerce version 2.3.4.1

Description The software contains a SQL injection issue that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL code through the products id parameter. Specifically, modifying the products id value in requests to the 'product info.php' resource and appending boolean-based SQL injection payloads allows extraction of sensitive database information.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize the products id parameter in 'product info.php' requests to prevent SQL injection.