CVE-2014-5140
HIGHLoaded Commerce 7 - Authenticated SQL Injection via Address Book Fields
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2014-5140. PoCs published by Breaking.Technology.
AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in LoadedCommerce 7's query factory. By manipulating input fields in the address book, an attacker can extract admin credentials (username and password hash) from the database.
Description
The bindReplace function in the query factory in includes/classes/database.php in Loaded Commerce 7 does not properly handle : (colon) characters, which allows remote authenticated users to conduct SQL injection attacks via the First name and Last name fields in the address book.
Exploits (1)
This exploit demonstrates a SQL injection vulnerability in LoadedCommerce 7's query factory. By manipulating input fields in the address book, an attacker can extract admin credentials (username and password hash) from the database.
References (5)
Scores
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H