CVE-2008-3788

Multiple SQL injection vulnerabilities in PICTURESPRO Photo Cart 3.9, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) qtitle, (2) qid, and (3) qyear parameters to (a) search.php, and the (4) email and (5) password parameters to (b) _login.php.

Published: Aug 26, 2008
Updated: Apr 13, 2023
CVE: CVE-2008-3788
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
picturespro / picturespro_photo_cart	3.9	3.9.x

http://packetstormsecurity.org/0808-exploits/photocart-sql.txt
http://securityreason.com/securityalert/4188
http://www.securityfocus.com/bid/30786
https://exchange.xforce.ibmcloud.com/vulnerabilities/44607
https://www.exploit-db.com/exploits/6285

Vulnerability Database

CVE-2008-3788