Description
orderdspc.d2w macro in IBM Net.Commerce 3.x allows remote attackers to execute arbitrary SQL queries by inserting them into the order_rn option of the report capability.
Products
- IBM Net.Commerce 2.0
- IBM Net.Commerce 3.0
- IBM Net.Commerce 3.1.1 Pro
- IBM Net.Commerce 3.1.1 Start
- IBM Net.Commerce 3.1.2 Pro
- IBM Net.Commerce 3.1.2 Start
- IBM Net.Commerce 3.1 Pro
- IBM Net.Commerce 3.1 Start
- IBM Net.Commerce 3.2 Pro
- IBM Net.Commerce 3.2 Start
- IBM Net.Commerce Hosting Server 3.1.1
- IBM Net.Commerce Hosting Server 3.1.2
- IBM Net.Commerce Hosting Server 3.2
- IBM WebSphere Commerce Suite 3.1.2 Service Provider
- IBM WebSphere Commerce Suite 3.2 Service Provider
- IBM WebSphere Commerce Suite 4.1.1 Pro
- IBM WebSphere Commerce Suite 4.1.1 Start
- IBM WebSphere Commerce Suite 4.1 Marketplace
- IBM WebSphere Commerce Suite 4.1 Pro
- IBM WebSphere Commerce Suite 4.1 Start
Questions to Ask Vendors
- Can you confirm whether your systems are affected by CVE-2001-0319, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2001-0319 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions
- Check out the advisory links provided below.
References