[VIM] Revisiting The Past

Steven M. Christey coley at linus.mitre.org
Wed Aug 9 16:15:12 EDT 2006

My gut reaction is that this was a dupe/rediscovery that wasn't caught due
to different spellings of "ProductCart" and "Product Cart" (though we
should have caught it on the script or parameter name...)  These days, I
would update the original CVE to mention the new version that is also

I hate duplicates due to alternate spellings :(  In CVE, we don't have a
normalized vendor or product name field, which might make this issue worse
- or do other DBs have the same problem?

- Steve

On Wed, 9 Aug 2006, George A. Theall wrote:

> Can anyone tell me the difference between:
>   http://echo.or.id/adv/adv16-theday-2005.txt (the 1st SQL injection)
>   http://archives.neohapsis.com/archives/bugtraq/2005-07/0521.html
> The first seems to be reflected in CVE-2005-1967, and OSVDB 17329; the
> latter in CVE-2005-2445, OSVDB 18508. And to further muddy things, BID
> 13881 credits Dedi Dwianto but provides a reference to Dcrab's advisory.
> Unless I'm missing something, both appear to cover the same app /
> version / script / parameter / issue. [NB: Bugtraq and OSVDB do say
> Product Cart 2.7 is affected, but Dwianto's advisory states "version : <
> 2.7", at least as I look at it right now.]
> George
> --
> theall at tenablesecurity.com

More information about the VIM mailing list