CVE-2005-4331
Description
SQL injection in iHTML Merchant Version 2 Pro allows remote attackers to execute arbitrary SQL commands via step, id, and pid parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in iHTML Merchant Version 2 Pro allows remote attackers to execute arbitrary SQL commands via step, id, and pid parameters.
Vulnerability
SQL injection vulnerability exists in the merchant.ihtml script of iHTML Merchant Version 2 Pro. The parameters step, id, and pid are not properly sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL commands [1].
Exploitation
A remote attacker can exploit this vulnerability by sending crafted HTTP requests to the vulnerable merchant.ihtml page with malicious SQL code in the step, id, or pid parameters. No authentication is required, as the script is accessible to unauthenticated users.
Impact
Successful exploitation allows the attacker to execute arbitrary SQL commands on the underlying database. This can lead to unauthorized access to sensitive data, modification of database contents, or potential compromise of the application.
Mitigation
As of the publication date (2005-12-17), no patch or workaround has been disclosed in the available references [1]. Users should contact the vendor for updated versions or consider implementing input validation and parameterized queries as a general security measure.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cpe:2.3:a:ihtml_merchant:ihtml_merchant:2_pro:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.