CVE-2006-0907

Name of the Vulnerable Software and Affected Versions PHP-Nuke versions prior to 7.8 Patched 3.2

Description The issue allows remote attackers to execute arbitrary SQL commands via encoded /%2a (/*) sequences in the query string. This is achieved by bypassing regular expressions intended to protect against SQL injection, as demonstrated via the kala parameter.

Recommendations For versions prior to 7.8 Patched 3.2, update to version 7.8 Patched 3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoint or disabling the use of the kala parameter until a patch is applied.