CVE-2008-6258

QuadComm Q-Shop 3.0 - SQL Injection via UserID or Pwd Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-6258. PoCs published by Bl@ckbe@rD.

AI-analyzed exploit summary This exploit demonstrates an authentication bypass via SQL injection and a stored XSS vulnerability in Q-Shop v3.0. The SQL injection allows unauthenticated login by manipulating the UserID and Pwd parameters, while the XSS exploit injects arbitrary JavaScript via the search functionality.

Description

SQL injection vulnerability in users.asp in QuadComm Q-Shop 3.0, and possibly earlier, allows remote attackers to execute arbitrary SQL commands via the (1) UserID and (2) Pwd parameters. NOTE: this might be related to CVE-2004-2108.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Bl@ckbe@rD · textwebappsasp
https://www.exploit-db.com/exploits/7141

This exploit demonstrates an authentication bypass via SQL injection and a stored XSS vulnerability in Q-Shop v3.0. The SQL injection allows unauthenticated login by manipulating the UserID and Pwd parameters, while the XSS exploit injects arbitrary JavaScript via the search functionality.

Classification
Working Poc 90%
Attack Type
Sqli | Xss | Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Q-Shop v3.0 (possibly prior versions)
No auth needed
Prerequisites: Target running Q-Shop v3.0 with exposed users.asp and search.asp endpoints
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/46649
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7141
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/32329
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/32742

Scores

EPSS 0.0097
EPSS Percentile 57.4%

Details

CWE
CWE-89
Status published
Products (1)
quadcomm/q-shop 3.0
Published Feb 24, 2009
Tracked Since Feb 18, 2026