QwikSec

Security Database

CVE

CWE

Training

CVE-2014-5140

Published: Jan 3, 2020

Modified: Aug 6, 2024

PUBLISHED

Description

The bindReplace function in the query factory in includes/classes/database.php in Loaded Commerce 7 does not properly handle : (colon) characters, which allows remote authenticated users to conduct SQL injection attacks via the First name and Last name fields in the address book.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://packetstormsecurity.com/files/128183/Loaded-Commerce-7-Shopping-Cart-SQL-Injection.html

x_refsource_MISC

http://resources.infosecinstitute.com/exploiting-systemic-query-vulnerabilities-attempt-re-invent-pdo/

x_refsource_MISC

http://www.exploit-db.com/exploits/34552

x_refsource_MISC

https://exchange.xforce.ibmcloud.com/vulnerabilities/95791

x_refsource_MISC

https://github.com/loadedcommerce/loaded7/pull/520

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.