Fixes CVE-2014-3830 and CVE-2014-3978 #238

wants to merge 1 commit into


None yet

3 participants


No description provided.

ghost commented Aug 13, 2014

I received this email, however I'm not sure what to do with it? I
followed the link(s) and it looks like it is changing some code in
Tomatocart however I'm not sure what it is supposed to fix? I've put in
a couple of bug reports for problems I have found. Do these fixes have
something to do with my Bug reports?

I apologize for any confusion, but I'm not a programmer and I'm not sure
how Github works and how to apply any fixes that might be stored there.

Any help will be appreciated.

Frank Carey

On 8/5/2014 12:49 PM, breakingtech wrote:

    You can merge this Pull Request by running

git pull master

Or view, comment on, or merge it at:


    Commit Summary

Reply to this email directly or view it on GitHub


Since this has been open for forever...

@int2k @nazrulworld @adietuk @KonzolozZ

ghost commented Sep 8, 2014

I clicked on the links in this email however I'm not sure why I received
it? Can you tell me the purpose of the email please? I am a Tomatocart
user however I don't understand the purpose of the email.

Frank Carey

On 9/4/2014 9:45 AM, Connection wrote:

Since this has been open for forever...

@int2k @nazrulworld @adietuk

Reply to this email directly or view it on GitHub
#238 (comment).

nyov commented Dec 7, 2014

Oh wow, this is how security patches are handled here?
Good thing I found it before checking out the code.

No wonder all the demo sites were broken or offline...

    06 June 2014   - CVE-2014-3978 assigned
    06 June 2014   - Submitted to vendor
    25 June 2014   - Received inadequate patch from vendor
    26 June 2014   - Suggested patch sent to vendor
    17 July 2014   - Request for update from vendor, no response.
    05 August 2014 - Pull request sent on github for full patch

    Vendor ignored, see suggested fix below.

    05 August 2014 -

    SQL Injection

Exploit Complexity:


For the non-coders -- this allows people stealing all your customer and site data and messing up your shop real nice.
Looks like no security awareness here at all. Never mind the fix, I would suggest dropping this software like a hot potato.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment