CVE-2014-5140

The bindReplace function in the query factory in includes/classes/database.php in Loaded Commerce 7 does not properly handle : (colon) characters, which allows remote authenticated users to conduct SQL injection attacks via the First name and Last name fields in the address book. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt