CubeCart ecommerce software versions before 6.6.0 have an authenticated time-based blind SQL injection vulnerability (CWE-89) in the sorting parameters (sort[price], sort_activity, sort_admin, sort_customer) of the Products and Logs endpoints. This flaw allows an attacker with valid credentials to inject malicious SQL commands, which can lead to unauthorized data access or modification. The vulnerability is resolved in version 6.6.0 of CubeCart.

Successful exploitation of this vulnerability can lead to arbitrary SQL command execution, resulting in compromise of database confidentiality, integrity, and availability. This could allow attackers to access sensitive data, alter database contents, or disrupt service. The vulnerability requires authenticated access and does not involve user interaction beyond that.

Upgrade CubeCart to version 6.6.0 or later, where this SQL injection vulnerability is fixed. Since the vendor advisory confirms the fix in 6.6.0, applying this official update is the recommended remediation. No other mitigation details are provided.