CVE-2005-4243

EPSS 4.7%

Multiple SQL injection vulnerabilities in QuickPayPro 3.1 allow remote attackers to execute arbitrary SQL commands via the (1) popupid parameter in popups.edit.php; (2) so, (3) sb, and (4) nr parameters in customer.tickets.view.php; (5) subrackingid parameter in subscribers.tracking.edit.php; (6) delete parameter in design.php; (7) trackingid parameter in tracking.details.php; and (8) customerid parameter in sales.view.php.

Affected products

n/a · n/a

public PoCs found — 6

exploitdbwww.exploit-db.com/exploits/26828unverified exploitdbwww.exploit-db.com/exploits/26830unverified exploitdbwww.exploit-db.com/exploits/26827unverified exploitdbwww.exploit-db.com/exploits/26832unverified exploitdbwww.exploit-db.com/exploits/26829unverified exploitdbwww.exploit-db.com/exploits/26831unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://pridels0.blogspot.com/2005/12/quickpaypro-31-multiple-vuln.html http://secunia.com/advisories/17981 http://www.osvdb.org/21676 http://www.osvdb.org/21677 http://www.osvdb.org/21678 http://www.osvdb.org/21679 http://www.osvdb.org/21680 http://www.osvdb.org/21681 http://www.securityfocus.com/bid/15863 http://www.vupen.com/english/advisories/2005/2875