Lucene search

[email protected]CVE-2008-0546

HistoryFeb 01, 2008 - 8:00 p.m.

CVE-2008-0546

2008-02-0120:00:00

CWE-89

[email protected]

web.nvd.nist.gov

sql injection

candypress

remote attackers

nvd

cve-2008-0546

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

8.5 High

AI Score

Confidence

Low

0.004 Low

EPSS

Percentile

72.4%

JSON

Multiple SQL injection vulnerabilities in CandyPress (CP) 4.1.1.26, and earlier 4.1.x versions, allow remote attackers to execute arbitrary SQL commands via the (1) idProduct and (2) options parameters to (a) ajax/ajax_optInventory.asp, or the (2) recid parameter to (b) ajax/ajax_getBrands.asp.

Affected configurations

NVD

Node

shoppingtreecandypress_storeMatch4.1

shoppingtreecandypress_storeMatch4.1.1.26

CPENameOperatorVersion
shoppingtree:candypress_storeshoppingtree candypress storeeq4.1
shoppingtree:candypress_storeshoppingtree candypress storeeq4.1.1.26

CPE	Name	Operator	Version
shoppingtree:candypress_store	shoppingtree candypress store	eq	4.1
shoppingtree:candypress_store	shoppingtree candypress store	eq	4.1.1.26

References

secunia.com/advisories/28662

securityreason.com/securityalert/3600

www.candypress.com/CPforum/forum_posts.asp?TID=10630&PN=1

www.securityfocus.com/archive/1/487058/100/0/threaded

www.securityfocus.com/bid/27454

www.vupen.com/english/advisories/2008/0314

exchange.xforce.ibmcloud.com/vulnerabilities/39939

www.exploit-db.com/exploits/4988

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

8.5 High

AI Score

Confidence

Low

0.004 Low

EPSS

Percentile

72.4%

JSON

Related for CVE-2008-0546

cvelist1 prion1 nvd1