Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-6985

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2008-6985
Last Modified 01 Sep 2009 01:25:18
Published 19 Aug 2009 01:24:52
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2008-6985

Summary

Multiple SQL injection vulnerabilities in includes/classes/shopping_cart.php in Zen Cart 1.2.0 through 1.3.8a, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the id parameter when (1) adding or (2) updating the shopping cart.

Vulnerable Systems

Application

  • Zen-cart Zen Cart 1.2.0d

  • Zen-cart Zen Cart 1.2.1 Patch1

  • Zen-cart Zen Cart 1.2.1d

  • Zen-cart Zen Cart 1.2.2d

  • Zen-cart Zen Cart 1.2.3d

  • Zen-cart Zen Cart 1.2.4.1

  • Zen-cart Zen Cart 1.2.4d

  • Zen-cart Zen Cart 1.2.5d

  • Zen-cart Zen Cart 1.2.6d

  • Zen-cart Zen Cart 1.3

  • Zen-cart Zen Cart 1.3.2

  • Zen-cart Zen Cart 1.3.5

  • Zen-cart Zen Cart 1.3.6

  • Zen-cart Zen Cart 1.3.7

  • Zen-cart Zen Cart 1.3.8

  • Zen-cart Zen Cart 1.3.8a


References

XF - zencart-shoppingcart-sql-injection(44917)

CONFIRM - http://www.zen-cart.com/forum/showthread.php?p=604473

BID - 31023

BUGTRAQ - 20080904 Re: Zen Cart <= 1.3.8a SQL Injection

BUGTRAQ - 20080904 Zen Cart <= 1.3.8a SQL Injection

OSVDB - 48346

MISC - http://www.gulftech.org/?node=research&article_id=00129-09042008

SECUNIA - 31758


Last Updated: 27 May 2016 10:49:25