Main Vulnerability Database Vulnerabilities #VU3270

SQL injection in aWeb Cart Watching System for Virtuemart - CVE-2016-10114

Published: January 4, 2017 / Updated: January 4, 2017

Vulnerability identifier: #VU3270

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-10114

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: aWebSupport

Affected software:
aWeb Cart Watching System for Virtuemart

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary SQL commands in vulnerable application.

The vulnerability exists in aWeb Cart Watching System for Virtuemart for Joomla! due to insufficient sanitization of user-supplied data passed via "categorysearch" and "smartSearch" parameters. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation may allow an attacker to gain complete control over vulnerable website.

How to mitigate CVE-2016-10114

Update to version 2.6.1.

Sources

https://vel.joomla.org/resolved/1897-aweb-cart-watching-system-2-6-0

SQL injection in aWeb Cart Watching System for Virtuemart - CVE-2016-10114

Detailed vulnerability description

How to mitigate CVE-2016-10114

Sources

Please verify you're human