CVE-2004-2551

Name of the Vulnerable Software and Affected Versions Layton HelpBox version 3.0.1

Description The issue allows remote attackers to execute arbitrary SQL commands, resulting in the ability to create a new HelpBox user account and read, modify, or delete data from the backend database. This is achieved through SQL injection vulnerabilities in various parameters, including sys comment id in "editcommentenduser.asp", sys suspend id in "editsuspensionuser.asp", table in "export data.asp", sys analgroup in "manageanalgrouppreference.asp", sys asset id in "quickinfoassetrequests.asp", sys eusername in "quickinfoenduserrequests.asp", and sys request id in multiple ASP files.

Recommendations For Layton HelpBox version 3.0.1, consider restricting access to the vulnerable parameters, such as sys comment id, sys suspend id, table, sys analgroup, sys asset id, sys eusername, and sys request id, to minimize the risk of exploitation. Additionally, avoid using these parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.