ID CVE-2004-2025 Type cve Reporter cve@mitre.org Modified 2008-09-05T20:43:00
Description
SQL injection vulnerability in application_top.php for Zen Cart 1.1.3 before patch 2 may allow remote attackers to execute arbitrary SQL commands via the products_id parameter.
{"osvdb": [{"lastseen": "2017-04-28T13:20:13", "bulletinFamily": "software", "cvelist": ["CVE-2004-2025"], "edition": 1, "description": "## Vulnerability Description\nZen Cart contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'products_id' variable in the 'application_top.php' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Ian C. Wilson has released a patch to address this vulnerability.\n## Short Description\nZen Cart contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'products_id' variable in the 'application_top.php' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.\n## References:\nVendor URL: http://www.zen-cart.com/modules/frontpage/\nVendor Specific News/Changelog Entry: http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateD\nVendor Specific News/Changelog Entry: http://www.zen-cart.com/modules/ipb/index.php?showtopic=3731\n[CVE-2004-2025](https://vulners.com/cve/CVE-2004-2025)\n", "modified": "2005-04-16T00:00:00", "published": "2005-04-16T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:16892", "id": "OSVDB:16892", "title": "Zen Cart application_top.php products_id Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}