Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-6986

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2008-6986
Last Modified 19 Aug 2009 12:00:00
Published 19 Aug 2009 01:24:52
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2008-6986

Summary

SQL injection vulnerability in the actionMultipleAddProduct function in includes/classes/shopping_cart.php in Zen Cart 1.3.0 through 1.3.8a, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the products_id array parameter in a multiple_products_add_product action, a different vulnerability than CVE-2008-6985.

Vulnerable Systems

Application

  • Zen-cart Zen Cart 1.3

  • Zen-cart Zen Cart 1.3.0.2

  • Zen-cart Zen Cart 1.3.2

  • Zen-cart Zen Cart 1.3.5

  • Zen-cart Zen Cart 1.3.6

  • Zen-cart Zen Cart 1.3.7

  • Zen-cart Zen Cart 1.3.8

  • Zen-cart Zen Cart 1.3.8a


References

CONFIRM - http://www.zen-cart.com/forum/showthread.php?p=604473

BID - 31023

BUGTRAQ - 20080904 Re: Zen Cart <= 1.3.8a SQL Injection

BUGTRAQ - 20080904 Zen Cart <= 1.3.8a SQL Injection

OSVDB - 48347

MISC - http://www.gulftech.org/?node=research&article_id=00129-09042008

SECUNIA - 31758


Last Updated: 27 May 2016 10:49:25