| VID |
21562 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Comersus BackOffice Lite is vulnerable to an SQL injection vulnerability in comersus_backoffice_login.php. Comersus Cart is a freely available shopping cart program for Microsoft Windows and Linux operating systems. Comersus BackOffice Lite is a basic administrative utility for Comersus. Comersus BackOffice Lite versions 5.098 and earlier allow a remote attacker to execute arbitrary SQL commands, caused by improper filtering of user-supplied input to the 'adminpassword' parameter of the comersus_backoffice_login script. This vulnerability could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* Platforms Affected:
Comersus Open Technologies, ComersusBackOffice Lite versions 5.098 and earlier
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Comersus Cart (5.0991 or later), available from the Comersus Cart Web site at http://www.comersus.com/comersus-downloads/ |
| Related URL |
CVE-2004-0681,CVE-2004-0682 (CVE) |
| Related URL |
10674,10824 (SecurityFocus) |
| Related URL |
16645,16646 (ISS) |
|
