CVE-2005-3208

critical

Description

Multiple SQL injection vulnerabilities in (1) aeNovo, (2) aeNovoShop and (3) aeNovoWYSI allow remote attackers to execute arbitrary SQL code via (a) the password parameter in control.asp, and (b) the strSQL parameter in search.asp, which can enable XSS attacks in resulting error messages.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/22553

https://exchange.xforce.ibmcloud.com/vulnerabilities/22551

https://exchange.xforce.ibmcloud.com/vulnerabilities/22547

http://www.securityfocus.com/bid/15036

http://www.osvdb.org/19937

http://www.osvdb.org/19936

http://secunia.com/advisories/17117/

http://marc.info/?l=bugtraq&m=112872593432359&w=2

Details

Source: Mitre, NVD

Published: 2005-10-14

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.0351