Paul Petefish

**Name of the Vulnerable Software and Affected Versions** Sonexis ConferenceManager version 9.3.14.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via two different parameters: the `g` parameter to the "Conference/Audio/AudioResourceContainer.asp" endpoint or the `txtConferenceID` parameter to the "Login/HostLogin.asp" endpoint. **Recommendations** For Sonexis ConferenceManager version 9.3.14.0, consider restricting access to the "Conference/Audio/AudioResourceContainer.asp" and "Login/HostLogin.asp" endpoints until a patch is available. As a temporary workaround, avoid using the `g` and `txtConferenceID` parameters in these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.