CVE-2007-2862 - Multiple SQL injection vulnerabilities in CubeCart 3.0.16 might allow remote attackers to execute ar

CVE-2007-2862

Summary

Multiple SQL injection vulnerabilities in CubeCart 3.0.16 might allow remote attackers to execute arbitrary SQL commands via an unspecified parameter to cart.inc.php and certain other files in an include directory, related to missing sanitization of the $option variable and possibly cookie modification.

References

http://osvdb.org/38100
http://securityreason.com/securityalert/2730
http://www.securityfocus.com/archive/1/469301/100/0/threaded
http://www.securityfocus.com/bid/24100
https://exchange.xforce.ibmcloud.com/vulnerabilities/34460

Vulnerable Configurations

cpe:2.3:a:devellion:cubecart:3.0.16:*:*:*:*:*:*:*
cpe:2.3:a:devellion:cubecart:3.0.16:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 16-10-2018 - 16:45)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

bid	24100
bugtraq	20070521 RedLevel Advisory #021 - CubeCart v3.0.16 SQL Injection Vulnerability
osvdb	38100
sreason	2730
xf	cubecart-unspecified-sql-injection(34460)

Last major update

16-10-2018 - 16:45

Published

24-05-2007 - 19:30

Last modified

16-10-2018 - 16:45