CVE-2007-6366

Name of the Vulnerable Software and Affected Versions SineCMS versions 2.3.4 and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters, including the id parameter to 'mods/Calendar/index.php' accessed through a Calendar info action to 'mods.php', the id parameter to 'admin/mods adm.php' in a Guestbook modifica or Calendar modify action, or the mese or anno parameters to 'admin/mods adm.php' in a Calendar action. Some vectors might be limited to administrators.

Recommendations For SineCMS versions 2.3.4 and earlier, consider disabling the SQL execution functionality in the affected modules until a patch is available. Restrict access to the 'mods/Calendar/index.php' and 'admin/mods adm.php' scripts to minimize the risk of exploitation. Avoid using the id, mese, and anno parameters in the affected API endpoints until the issue is resolved.