{"id": "CVE-2005-4614", "bulletinFamily": "NVD", "title": "CVE-2005-4614", "description": "Multiple SQL injection vulnerabilities in digiSHOP 3.1.17 and earlier allow remote attackers to execute arbitrary SQL commands or obtain the full installation path via (1) the c parameter in cart.php and (2) unspecified search module parameters.", "published": "2005-12-31T05:00:00", "modified": "2017-07-20T01:29:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4614", "reporter": "cve@mitre.org", "references": ["http://www.osvdb.org/21302", "https://exchange.xforce.ibmcloud.com/vulnerabilities/23358", "http://www.vupen.com/english/advisories/2005/2563", "http://www.osvdb.org/21303", "http://pridels0.blogspot.com/2005/11/digishop-3x-sql-injection-vuln.html", "https://exchange.xforce.ibmcloud.com/vulnerabilities/23357"], "cvelist": ["CVE-2005-4614"], "type": "cve", "lastseen": "2020-12-09T19:22:23", "edition": 5, "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:21303", "OSVDB:21302"]}], "modified": "2020-12-09T19:22:23", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2020-12-09T19:22:23", "rev": 2}, "vulnersScore": 7.7}, "cpe": ["cpe:/a:sum_effect_software:digishop:3.1.17"], "affectedSoftware": [{"cpeName": "sum_effect_software:digishop", "name": "sum effect software digishop", "operator": "le", "version": "3.1.17"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:sum_effect_software:digishop:3.1.17:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:sum_effect_software:digishop:3.1.17:*:*:*:*:*:*:*", "versionEndIncluding": "3.1.17", "vulnerable": true}], "operator": "OR"}]}}

{"osvdb": [{"lastseen": "2017-04-28T13:20:18", "bulletinFamily": "software", "cvelist": ["CVE-2005-4614"], "edition": 1, "description": "## Vulnerability Description\ndigiSHOP contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the cart.php script not properly sanitizing user-supplied input to the 'c' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Technical Description\nUsing a crafted failed SQL query, an attacker may also be able to disclose the installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Solution Description\nUpgrade to version 3.2.3 or higher, as it has been reported to fix this vulnerability. The vendor also states \"that anyone who has a version of digiSHOP that has this issue can contact Sum Effect Software, Inc. support and have the\nissue resolved at no charge.\"\n## Short Description\ndigiSHOP contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the cart.php script not properly sanitizing user-supplied input to the 'c' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\n/cart.php?m=product_list&c=[SQL]\n## References:\nVendor URL: http://digishop.sumeffect.com/\n[Related OSVDB ID: 21303](https://vulners.com/osvdb/OSVDB:21303)\nOther Advisory URL: http://pridels.blogspot.com/2005/11/digishop-3x-sql-injection-vuln.html\nISS X-Force ID: 23357\nISS X-Force ID: 23358\n[CVE-2005-4614](https://vulners.com/cve/CVE-2005-4614)\n", "modified": "2005-11-23T21:54:42", "published": "2005-11-23T21:54:42", "href": "https://vulners.com/osvdb/OSVDB:21302", "id": "OSVDB:21302", "title": "digiSHOP cart.php c Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:18", "bulletinFamily": "software", "cvelist": ["CVE-2005-4614"], "edition": 1, "description": "## Vulnerability Description\ndigiSHOP contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search query not properly sanitizing user-supplied input to unspecified variable(s). This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Technical Description\nUsing a crafted failed SQL query, an attacker may also be able to disclose the installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\ndigiSHOP contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search query not properly sanitizing user-supplied input to unspecified variable(s). This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## References:\nVendor URL: http://digishop.sumeffect.com/\n[Related OSVDB ID: 21302](https://vulners.com/osvdb/OSVDB:21302)\nOther Advisory URL: http://pridels.blogspot.com/2005/11/digishop-3x-sql-injection-vuln.html\nISS X-Force ID: 23357\nISS X-Force ID: 23358\nFrSIRT Advisory: ADV-2005-2563\n[CVE-2005-4614](https://vulners.com/cve/CVE-2005-4614)\n", "modified": "2005-11-23T21:54:42", "published": "2005-11-23T21:54:42", "href": "https://vulners.com/osvdb/OSVDB:21303", "id": "OSVDB:21303", "title": "digiSHOP Search Query SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}