On May 1, 2008, a report was posted on PacketStorm about an alleged SQL Injection threat against "2008 Zen Cart".

THE REPORT IS NOT ACCURATE. THE DESCRIBED ISSUE IS NOT AN SQL INJECTION RISK


I have been testing the alleged packetstorm vulnerability on 1.3.8 and I believe it is bogus.

Of the 4 test scenarios, only 1 produces an sql error. However that error is not caused by an SQL injection, but a weakness in the way the advanced search code build its SQL.

So while I would class it as a bug, I would not class it as an SQL injection.