PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-3694 Modified CVE debrief

CVE-2016-3694 is a critical SQL injection vulnerability in modified eCommerce Shopsoftware 2.0.0.0 revision 9678. The issue affects api/easybill/easybillcsv.php and can be triggered through the orders_status or customers_status parameters when the easybill-module is not installed. NVD rates the issue as CVSS 3.0 9.8 (Critical), reflecting unauthenticated network reachability and the potential for full compromise of confidentiality, integrity, and availability.

Vendor
Modified
Product
CVE-2016-3694
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-15
Original CVE updated
2026-05-13
Advisory published
2017-02-15
Advisory updated
2026-05-13

Who should care

Administrators, developers, and security teams responsible for modified eCommerce Shopsoftware 2.0.0.0 revision 9678 deployments, especially instances where the easybill-module is not installed. Any internet-facing installation should be treated as urgent.

Technical summary

The NVD record identifies CWE-89 (SQL Injection) in api/easybill/easybillcsv.php. The vulnerable surface is exposed through the orders_status and customers_status parameters. Because the flaw is reachable over the network without authentication, an attacker may be able to submit crafted input that alters backend SQL queries. The record ties the vulnerability to cpe:2.3:a:modified:ecommerce_shopsoftware:2.0.0.0:r9678:*:*:*:*:*:* and notes the condition specifically when the easybill-module is absent.

Defensive priority

Urgent. This is a pre-auth, network-reachable SQL injection with critical impact, so affected systems should be prioritized for immediate verification and remediation.

Recommended defensive actions

  • Confirm whether modified eCommerce Shopsoftware 2.0.0.0 revision 9678 is deployed.
  • Check whether the easybill-module is installed; the vulnerability is described as present when it is not installed.
  • Apply the vendor or maintainer fix if available and update to a non-vulnerable release.
  • Restrict exposure of the affected application and endpoint until remediated.
  • Monitor application and database logs for anomalous requests to api/easybill/easybillcsv.php and unusual SQL activity.
  • Review database credentials and application privileges to limit blast radius if exploitation occurred.

Evidence notes

This debrief is based on the official NVD record for CVE-2016-3694 and the CVE record metadata supplied in the source corpus. The NVD entry lists the affected CPE, CVSS vector (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), and CWE-89. The record also includes third-party advisory references to Packet Storm and Exploit-DB. The published date is 2017-02-15T19:59:00.203Z; the later 2026-05-13 modification date reflects record updates, not the original vulnerability disclosure date.

Official resources

CVE-2016-3694 was published on 2017-02-15 and later modified by NVD on 2026-05-13. The source corpus includes third-party advisory references, but this debrief relies on the official CVE/NVD record for the primary facts.