CVE-2007-6127

Name of the Vulnerable Software and Affected Versions project alumni versions 1.0.9 and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the year parameter to (1) "view.page.inc.php", which is reachable through a view action to "index.php", or (2) the year parameter to "news.page.inc.php", which is reachable through a news action to "index.php".

Recommendations For project alumni versions 1.0.9 and earlier, consider restricting access to the view.page.inc.php and news.page.inc.php files until a patch is available. As a temporary workaround, avoid using the year parameter in the affected API endpoints.