CVE-2004-0300 - SQL injection vulnerability in Online Store Kit 3.0 allows remote attackers to inject arbitrary SQL

CVE-2004-0300

Summary

SQL injection vulnerability in Online Store Kit 3.0 allows remote attackers to inject arbitrary SQL and gain unauthorized access via (1) the cat parameter in shop.php, (2) the id parameter in more.php, (3) the cat_manufacturer parameter in shop_by_brand.php, or (4) the id parameter in listing.php.

References

Vulnerable Configurations

cpe:2.3:a:ecommerce_corporation_online:store_kit:3.0_lite:*:*:*:*:*:*:*
cpe:2.3:a:ecommerce_corporation_online:store_kit:3.0_lite:*:*:*:*:*:*:*
cpe:2.3:a:ecommerce_corporation_online:store_kit:3.0_pro:*:*:*:*:*:*:*
cpe:2.3:a:ecommerce_corporation_online:store_kit:3.0_pro:*:*:*:*:*:*:*
cpe:2.3:a:ecommerce_corporation_online:store_kit:3.0_standard:*:*:*:*:*:*:*
cpe:2.3:a:ecommerce_corporation_online:store_kit:3.0_standard:*:*:*:*:*:*:*

CVSS

Base:	10.0 (as of 11-07-2017 - 01:30)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:L/Au:N/C:C/I:C/A:C

refmap via4

bid	9676 9687
bugtraq	20040218 ZH2004-07SA (security advisory): Multiple Sql injection
misc	http://www.systemsecure.org/advisories/ssadvisory16022004.php http://www.zone-h.org/en/advisories/read/id=3972/
osvdb	3973
sectrack	1009092
secunia	10902
xf	onlinestorekit-more-sql-injection(15232)

Last major update

11-07-2017 - 01:30

Published

23-11-2004 - 05:00

Last modified

11-07-2017 - 01:30