Primary

Context

osCommerce SQL Injection Vulnerability in Shopping Cart Component

Vulnerability

A SQL injection vulnerability has been identified in osCommerce version 2.3.4.1. This vulnerability allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'currency' parameter. Exploitation involves sending GET requests to 'shopping_cart.php' with crafted currency values that include boolean-based SQL injection payloads, enabling the extraction of sensitive database information.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries and potentially access or modify sensitive database information.

Reproduction

To reproduce this vulnerability, navigate to the 'shopping_cart.php' page and replace the 'currency' parameter with a high numerical value. Then, append a boolean-based SQL injection payload to the 'currency' parameter. This crafted request can be sent via a web browser or a tool that allows for HTTP request manipulation.

Added: Feb 27, 2026, 6:18 PM

Updated: Feb 27, 2026, 6:18 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

9.7

remediation

0.0

relevance

3.3

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

9.7

remediation

0.0

relevance

3.3

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

osCommerce SQL Injection Vulnerability in Shopping Cart Component

Vulnerability

Impact

Reproduction

Affected Products

osCommerce

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating