CVE-2005-3208 Information

Description

Multiple SQL injection vulnerabilities in (1) aeNovo (2) aeNovoShop and (3) aeNovoWYSI allow remote attackers to execute arbitrary SQL code via (a) the password parameter in control.asp and (b) the strSQL parameter in search.asp which can enable XSS attacks in resulting error messages.

Reference

http://marc.info/?l=bugtraq&m=112872593432359&w=2 http://secunia.com/advisories/17117/ http://www.kapda.ir/advisory-78.html http://www.osvdb.org/19936 http://www.osvdb.org/19937 http://www.securityfocus.com/bid/15036 http://www.securityfocus.com/bid/15038 https://exchange.xforce.ibmcloud.com/vulnerabilities/22547 https://exchange.xforce.ibmcloud.com/vulnerabilities/22551 https://exchange.xforce.ibmcloud.com/vulnerabilities/22553