[原文]shop_display_products.php in Naxtor Shopping Cart 1.0 allows remote attackers to obtain sensitive information via a cat_id with a "'" (single quote), which reveals the path in an error message, possibly due to an SQL injection vulnerability.
Naxtor Shopping Cart contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'shop_display_products.php' script not properly sanitizing user-supplied input to the 'cat_id' variable. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.