Lucene search

[email protected]CVE-2005-2220

HistoryJul 12, 2005 - 4:00 a.m.

CVE-2005-2220

2005-07-1204:00:00

NVD-CWE-Other

[email protected]

web.nvd.nist.gov

dragonfly commerce

remote attack

product price

hidden field

security vulnerability

nvd

cve-2005-2220

7 High

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

77.9%

JSON

Dragonfly Commerce allows remote attackers to change a product price by modifying the x_DragonflyCartProductPrice hidden field to (1) dc_Categorieslist.asp, (2) dc_Categoriesview.asp, (3) dc_productslist.asp, and (4) dc_productslist_Clearance.asp. NOTE: the vendor has disputed this issue, saying that “Dragonfly Commerce does not allow for editing prices nor does it allow for viewing information about clients stored in the database except by the store owner and authorized staff as appointed in the store administration.” However, SecurityTracker claims that they have been able to confirm the problem

CPENameOperatorVersion
incredible_interactive:dragonfly_commerceincredible interactive dragonfly commerceeq*

CPE	Name	Operator	Version
incredible_interactive:dragonfly_commerce	incredible interactive dragonfly commerce	eq	*

References

marc.info/?l=bugtraq&m=112121930328341&w=2

securitytracker.com/id?1014451

www.digitalparadox.org/viewadvisories.ah?view=46

7 High

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

77.9%

JSON