Ugurcan Engin

**Name of the Vulnerable Software and Affected Versions** Shader TV (Beta) (affected versions not specified) **Description** The issue allows remote authenticated administrators to execute arbitrary SQL commands via the `sid` parameter to API endpoints such as "kanal.asp", "google.asp", and "hakk.asp" in the "yonet/" directory. Additionally, remote attackers can execute arbitrary SQL commands via the `username` or `password` fields to the "yonet/default.asp" endpoint. **Recommendations** For Shader TV (Beta), as a temporary workaround, consider restricting access to the "yonet/" directory and its contents, such as "kanal.asp", "google.asp", "hakk.asp", and "default.asp", to minimize the risk of exploitation. Avoid using the `sid` parameter in the affected API endpoints until the issue is resolved. Also, restrict the use of the `username` and `password` fields in the "yonet/default.asp" endpoint to prevent arbitrary SQL command execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.