LiveActive security incident?Get immediate response
CVE Record

CVE-2005-4787: Turnkey Web Tools SunShop Shopping Cart allows remote attackers to obtain sensitive information via a phpin...

Turnkey Web Tools SunShop Shopping Cart allows remote attackers to obtain sensitive information via a phpinfo action to (1) index.php, (2) admin/index.php, and (3) admin/adminindex.php, which executes the PHP phpinfo function. NOTE: The vendor has disputed this issue, saying that "Having this in the code makes it easier for us to troubleshoot when issues arise on individual carts. For someone to have a script to do this type of search would require that they know where your shop is actually located. I dont think it really can be construde [sic] as a security issue.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysis

Security readout for executives and security teams

This record describes possible information disclosure in Turnkey Web Tools SunShop Shopping Cart where a diagnostic phpinfo action could reveal server configuration details. That information may help attackers plan follow-on attacks, but the vendor disputed whether it is a security issue and the record lacks CVSS, affected versions, or patch details. Exposure is limited to SunShop Shopping Cart deployments that include the documented phpinfo action and are reachable by untrusted users. The structured affected-product data is listed as n/a, so version-level exposure cannot be determined from the provided sources. Prioritize as a legacy exposure check rather than an emergency response. The issue can leak useful configuration details, but severity, affected versions, fixes, and exploitation are not established in the provided sources. Mitigation focus: Identify whether SunShop Shopping Cart is present in current or legacy assets.; Check vendor or maintainer guidance before changing application behavior.; If confirmed, remove or restrict public access to phpinfo diagnostics..

Prepared

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2005-4787 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
1Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.