vendor site:http://www.candypress.com/ product:CandyPress Store bug:injection sql risk:medium injection sql (get) : http://site.com/sa3.5.2.14/scripts/openPolicy.asp?policy='[sql] http://site.com/sa3.5.2.14/scripts/prodList.asp?brand='[sql] laurent gaffié & benjamin mossé http://s-a-p.ca/ contact: saps.audit@xxxxxxxxx