0Xali

**Name of the Vulnerable Software and Affected Versions** Web Reference Database (aka refbase) versions prior to 0.9.7 **Description** The issue allows remote attackers to execute arbitrary commands via the `adminPassword` parameter. **Recommendations** For versions prior to 0.9.7, update to version 0.9.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** refbase versions prior to 0.9.7 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `where` parameter to "rss.php" or the `sqlQuery` parameter to "search.php". **Recommendations** For versions prior to 0.9.7, update to version 0.9.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the "rss.php" and "search.php" scripts until a patch is available. Avoid using the `where` and `sqlQuery` parameters in the affected API endpoints until the issue is resolved.