Comersus ASP Shopping Cart default.asp Referer Tag SQL Injection
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
ASP Shopping Cart contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the Referer field variable is not validated by the default.asp module and will allow an attacker to inject or manipulate SQL queries.
Upgrade to version 6.0.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.