CVE-2006-3027

Name of the Vulnerable Software and Affected Versions Enthrallwebe ePhotos versions 2.2 and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the CAT ID parameter in "subphotos.asp" and "subLevel2.asp", the AL ID parameter in "photo.asp", and the SUB ID parameter in "subLevel2.asp".

Recommendations For Enthrallwebe ePhotos versions 2.2 and earlier, consider restricting access to the affected API endpoints "subphotos.asp", "subLevel2.asp", and "photo.asp" until a patch is available. As a temporary workaround, avoid using the parameters CAT ID, AL ID, and SUB ID in the respective affected files.