Impact
A SQL injection vulnerability exists in the my_account.php script of CodeAstro Ecommerce Website 1.0, specifically when manipulating the c_name argument in the edit_account operation. The flaw allows an attacker to inject arbitrary SQL through the web interface, potentially exposing or modifying sensitive customer data. The vulnerability is categorized as CWE-74 and CWE-89.
Affected Systems
The vulnerability impacts CodeAstro Ecommerce Website version 1.0, affecting the my_account.php module used for account editing. Because no further version range is specified, any installation of 1.0 that has not applied a patch is considered vulnerable. The affected endpoint is /ecommerce-website-php/customer/my_account.php?edit_account.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate severity, while no EPSS score is available, which implies the estimation of exploitation probability is uncertain. The vulnerability is not listed in CISA's KEV catalog, suggesting it has not been observed in large-scale exploitation campaigns yet. However, the attack can be performed remotely via crafted HTTP requests to the affected endpoint, and public reports confirm that the exploit exists. Thus, organizations running this application should consider the risk moderate but treat it as potentially exploitable if no patch is applied.
OpenCVE Enrichment