CVE-2021-47909
8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
Mult-E-Cart Ultimate 2.4 contains multiple SQL injection vulnerabilities in inventory, customer, vendor, and order modules. Remote attackers with privileged vendor or admin roles can exploit the 'id' parameter to execute malicious SQL commands and compromise the database management system.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Techraft | Digital Multivendor Marketplace Online Store | 2.4 | affected |
Weaknesses
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
- https://www.vulnerability-lab.com/get_content.php?id=2306
- https://ultimate.multecart.com/
- https://www.techraft.in/
- https://www.vulncheck.com/advisories/mult-e-cart-ultimate-sql-injection-via-vulnerable-id-parameters
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.