CVE-2014-5104
published 2014-07-28CVE-2014-5104: Multiple SQL injection vulnerabilities in ol-commerce 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) a_country parameter in a…
PriorityP350high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
2.14%
79.8th percentile
Multiple SQL injection vulnerabilities in ol-commerce 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) a_country parameter in a process action to affiliate_signup.php, (2) affiliate_banner_id parameter to affiliate_show_banner.php, (3) country parameter in a process action to create_account.php, or (4) entry_country_id parameter in an edit action to admin/create_account.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ol-commerce_project | ol-commerce | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
OL-Commerce - '/OL-Commerce/create_account.php?country' SQL Injection
exploitdb·2014-07-17
CVE-2014-5104 OL-Commerce - '/OL-Commerce/create_account.php?country' SQL Injection
OL-Commerce - '/OL-Commerce/create_account.php?country' SQL Injection
---
source: https://www.securityfocus.com/bid/68719/info
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ol-commerce 2.1.1 is vulnerable; other versions may also be affected.
http://www.example.com/OL-Commerce/create_account.php
POST /OL-Commerce/create_account.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefo
Exploit-DB
OL-Commerce - '/OL-Commerce/affiliate_signup.php?a_country' SQL Injection
exploitdb·2014-07-17
CVE-2014-5104 OL-Commerce - '/OL-Commerce/affiliate_signup.php?a_country' SQL Injection
OL-Commerce - '/OL-Commerce/affiliate_signup.php?a_country' SQL Injection
---
source: https://www.securityfocus.com/bid/68719/info
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ol-commerce 2.1.1 is vulnerable; other versions may also be affected.
http://www.example.com/OL-Commerce/affiliate_signup.php
POST /OL-Commerce/affiliate_signup.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/2010010
Exploit-DB
OL-Commerce - '/OL-Commerce/admin/create_account.php?entry_country_id' SQL Injection
exploitdb·2014-07-17
CVE-2014-5104 OL-Commerce - '/OL-Commerce/admin/create_account.php?entry_country_id' SQL Injection
OL-Commerce - '/OL-Commerce/admin/create_account.php?entry_country_id' SQL Injection
---
source: https://www.securityfocus.com/bid/68719/info
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ol-commerce 2.1.1 is vulnerable; other versions may also be affected.
http://www.example.com/OL-Commerce/admin/create_account.php?action=edit
POST /OL-Commerce/admin/create_account.php?action=edit HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Wi
Exploit-DB
OL-Commerce - '/OL-Commerce/affiliate_show_banner.php?affiliate_banner_id' SQL Injection
exploitdb·2014-07-17
CVE-2014-5104 OL-Commerce - '/OL-Commerce/affiliate_show_banner.php?affiliate_banner_id' SQL Injection
OL-Commerce - '/OL-Commerce/affiliate_show_banner.php?affiliate_banner_id' SQL Injection
---
source: https://www.securityfocus.com/bid/68719/info
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ol-commerce 2.1.1 is vulnerable; other versions may also be affected.
http://www.example.com/OL-Commerce/affiliate_show_banner.php?ref=1&affiliate_banner_id=1[SQL INJECTION]
No writeups or analysis indexed.
2014-07-28
Published