ZeusCart 4.0 - Admin SQL注入漏洞

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

ZeusCart 4.0: SQL Injection Security Advisory – Curesec Research Team 1. Introduction Affected Product: ZeusCart 4.0 Fixed in: not fixed Fixed Version Link: n/a Vendor Contact: support@zeuscart.com Vulnerability Type: SQL Injection Remote Exploitable: Yes Reported to vendor: 08/13/2015 Disclosed to public: 09/14/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description There are at least two SQL Injections in ZeusCart 4.0, one being a blind injection which does not require credentials to be exploited, the other being a standard injection in the admin area. Because the prevention of SQL Injection depends to a large part on applying simple filters on most input instead of using prepared stamements, it is highly likely that there will be more SQL injection vulnerabilities that are not covered here. 3. Timing based Blind SQL Injection There is a blind timing based SQL injection into the maincatid argument. An attacker does not need to be...

0%
暂无可用Exp或PoC
当前有0条受影响产品信息