Halkfild

**Name of the Vulnerable Software and Affected Versions** Aqua CMS version 1.1 **Description** The issue concerns SQL injection vulnerabilities. These vulnerabilities allow remote attackers to execute arbitrary SQL commands. This can be achieved via the `userSID` cookie parameter to "droplets/functions/base.php" and the `username` parameter to "admin/index.php", but only when `magic quotes gpc` is disabled. **Recommendations** For Aqua CMS version 1.1, consider disabling the `magic quotes gpc` option to prevent SQL injection attacks. As a temporary workaround, restrict access to the "droplets/functions/base.php" and "admin/index.php" files until a patch is available. Avoid using the `userSID` cookie parameter and the `username` parameter in the affected API endpoints until the issue is resolved.