VP-ASP Shopping Cart versions prior to 6.08 contain a vulnerability that may allow a remote attacker to inject arbitrary SQL code and execute queries on the underlying database.
The vulnerability exists due to insufficient validation of user-supplied input to the shopcurrency.asp script. A remote attacker could exploit this vulnerability by passing crafted values to a parameter subsequently used in SQL queries in the vulnerable script. In this way, the attacker can return information from the underlying database or alter or remove information in the database.
Exploit code is available.
The vendor confirmed this vulnerability in patch notes and released updated software.