Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
osCommerce 2.3.4.1 allows hackers to steal sensitive data
CVE-2019-25495
Summary
The osCommerce e-commerce software has a security flaw that lets hackers access sensitive information from the company's database. This can happen when a customer reviews a product and the hacker injects malicious code into the review. To protect yourself, update osCommerce to the latest version or remove it altogether if possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| oscommerce | oscommerce | 2.3.4.1 | – |
Original title
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviews_id parameter. Attackers can ...
Original description
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviews_id parameter. Attackers can send GET requests to product_reviews_write.php with malicious reviews_id values using boolean-based SQL injection payloads to extract sensitive database information.
nvd CVSS3.1
7.5
nvd CVSS4.0
8.8
Vulnerability type
CWE-89
SQL Injection
- https://www.exploit-db.com/exploits/46330 Exploit VDB Entry
- https://www.oscommerce.com Product
- https://www.vulncheck.com/advisories/oscommerce-sql-injection-via-reviewsid-para... Broken Link
Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026