Description
Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/sqlpatch.php, which allows remote attackers to execute arbitrary SQL commands via the query_string parameter in an execute action, in conjunction with a PATH_INFO of password_forgotten.php, related to a "SQL Execution" issue.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by BlackH · pythonwebappsphp
https://www.exploit-db.com/exploits/9005
References (7)
Core 7
Core References
Patch x_refsource_confirm
http://www.zen-cart.com/forum/showthread.php?t=130161
Exploit, Patch vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/35468
Patch, Vendor Advisory x_refsource_confirm
http://www.zen-cart.com/forum/attachment.php?attachmentid=5965
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/51317
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://www.osvdb.org/55343
Exploit, Third Party Advisory exploit
x_refsource_exploit-db
http://www.exploit-db.com/exploits/9005
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/35550
Scores
EPSS
0.0956
EPSS Percentile
92.9%
Details
CWE
CWE-89
Status
published
Products (9)
zen-cart/zen_cart
1.1.0
zen-cart/zen_cart
1.1.3
zen-cart/zen_cart
1.2.0d
zen-cart/zen_cart
1.2.1d
zen-cart/zen_cart
1.2.4d
zen-cart/zen_cart
1.3.6
zen-cart/zen_cart
1.3.7
zen-cart/zen_cart
1.3.8
zen-cart/zen_cart
< 1.3.8a
Published
Jun 30, 2009
Tracked Since
Feb 18, 2026