I just saw this on CVE Security Scorecard. It's on quite a few security sites.
Vulnerability Details : CVE-2025-50972
AbanteCart 1.4.2 Unauthenticated SQL Injection via tmpl_id Parameter in index.php
SQL Injection vulnerability in AbanteCart 1.4.2, allows unauthenticated attackers to execute arbitrary SQL commands via the tmpl_id parameter to index.php. Three techniques have been demonstrated: error-based injection using a crafted FLOOR-based payload, time-based blind injection via SLEEP(), and UNION-based injection to extract arbitrary data.
Base Score: 9.8 Base Severity: CRITICAL Impact Score 5.9 First Seen 8/27/2025
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
https://www.cvedetails.com/cve/CVE-2025-50972/
Any idea's or a patch that can be done? I'm thinking maybe write a line to block the query string right into Apache in pre-main include, and block it server wide, as I plan only on having one store a dev site, and will own any other sites on there. I can't think of any reason this would cause me issues. Any thoughts ?
Vulnerability Details : CVE-2025-50972
AbanteCart 1.4.2 Unauthenticated SQL Injection via tmpl_id Parameter in index.php
SQL Injection vulnerability in AbanteCart 1.4.2, allows unauthenticated attackers to execute arbitrary SQL commands via the tmpl_id parameter to index.php. Three techniques have been demonstrated: error-based injection using a crafted FLOOR-based payload, time-based blind injection via SLEEP(), and UNION-based injection to extract arbitrary data.
Base Score: 9.8 Base Severity: CRITICAL Impact Score 5.9 First Seen 8/27/2025
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
https://www.cvedetails.com/cve/CVE-2025-50972/
Any idea's or a patch that can be done? I'm thinking maybe write a line to block the query string right into Apache in pre-main include, and block it server wide, as I plan only on having one store a dev site, and will own any other sites on there. I can't think of any reason this would cause me issues. Any thoughts ?