CVE-2007-0630

Name of the Vulnerable Software and Affected Versions xNews versions 1.3 and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands via the id, from, and q parameters in the generate csv function. This is due to multiple SQL injection vulnerabilities in classes/class.news.php.

Recommendations For xNews versions 1.3 and earlier, as a temporary workaround, consider restricting access to the generate csv function until a patch is available. Avoid using the parameters id, from, and q in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.