Intrusion Prevention

ZenCart.Password.Forgotten.SQL.Injection

Description

SQL injection vulnerability in admin/password_forgotten.php, in Zen Cart 1.2.6d and earlier, allows remote attackers to execute arbitrary SQL commands via the admin_email parameter.

Affected Products

Zen Cart Web Shopping Cart 1.2.6 d
Zen Cart Web Shopping Cart 1.1.2 d
Not Vulnerable: Zen Cart Web Shopping Cart 1.2.7

Impact

Execute arbitrary SQL commands

Recommended Actions

The vendor has released an update to address this issue.
Zen Cart Web Shopping Cart 1.1.2 d
Zen Cart zen-cart-1-2-7-d_full-release.zip
http://prdownloads.sourceforge.net/zencart/zen-cart-1-2-7-d_full-relea se.zip
ZenCart sql_injection_fix.zip
http://www.zen-cart.com/modules/mydownloads/
Zen Cart Web Shopping Cart 1.2.6 d
Zen Cart zen-cart-1-2-7-d_full-release.zip
http://prdownloads.sourceforge.net/zencart/zen-cart-1-2-7-d_full-relea se.zip
ZenCart sql_injection_fix.zip
http://www.zen-cart.com/modules/mydownloads/

CVE References

CVE-2005-3996