Lama

**Name of the Vulnerable Software and Affected Versions** USOLVED NEWSolved version 1.1.6 **Description** The issue allows remote attackers to execute arbitrary SQL commands due to multiple SQL injection vulnerabilities in the newsscript.php file when magic quotes gpc is disabled. This can be achieved via the `jahr` or `idneu` parameter in an archive action, or the `newsid` parameter. **Recommendations** For USOLVED NEWSolved version 1.1.6, consider disabling the archive action or restricting access to the newsscript.php file until a patch is available. Additionally, enabling magic quotes gpc can help mitigate the risk of SQL injection attacks. Avoid using the `jahr`, `idneu`, and `newsid` parameters in the affected API endpoint until the issue is resolved.