Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2005-2220

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2005-2220
Last Modified 05 Sep 2008 04:51:11
Published 12 Jul 2005 12:00:00
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2005-2220

Summary

** DISPUTED ** Dragonfly Commerce allows remote attackers to change a product price by modifying the x_DragonflyCartProductPrice hidden field to (1) dc_Categorieslist.asp, (2) dc_Categoriesview.asp, (3) dc_productslist.asp, and (4) dc_productslist_Clearance.asp. NOTE: the vendor has disputed this issue, saying that "Dragonfly Commerce does not allow for editing prices nor does it allow for viewing information about clients stored in the database except by the store owner and authorized staff as appointed in the store administration." However, SecurityTracker claims that they have been able to confirm the problem.

Vulnerable Systems

Application

  • Incredible Interactive Dragonfly Commerce


References

MISC - http://www.digitalparadox.org/viewadvisories.ah?view=46

SECTRACK - 1014451

BUGTRAQ - 20050712 Dragonfly Shopping Cart Multiple vulnerabilities


Last Updated: 27 May 2016 10:40:26