VYPR
Unrated severityNVD Advisory· Published Aug 17, 2006· Updated Jun 16, 2026

CVE-2006-4214

CVE-2006-4214

Description

Multiple SQL injection vulnerabilities in Zen Cart 1.3.0.2 and earlier allow remote attackers to execute arbitrary SQL commands via (1) GPC data to the ipn_get_stored_session function in ipn_main_handler.php, which can be leveraged to modify elements of $_SESSION; and allow remote authenticated users to execute arbitrary SQL commands via (2) a session id within a cookie to whos_online_session_recreate, (3) the quantity field to the add_cart function, (4) an id[] parameter when adding an item to a shopping cart, or (5) a redemption code when checking out (dc_redeem_code parameter to includes/modules/order_total/ot_coupon.php).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Zen Cart/ZenCart2 versions
    cpe:2.3:a:zen_cart:zen_cart:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:zen_cart:zen_cart:*:*:*:*:*:*:*:*range: <=1.3.0.2
    • (no CPE)range: <=1.3.0.2

Patches

Vulnerability mechanics

References

11

News mentions

0

No linked articles in our index yet.