SQL injection vulnerability in core/user.php in CS-Cart 1.3.5 and earlier allows remote attackers to execute arbitrary SQL commands via the cs_cookies[customer_user_id] cookie parameter.

More... (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-6394)