CVE-2008-1632

Name of the Vulnerable Software and Affected Versions CuteFlow version 2.10.0

Description The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved via multiple SQL injection vulnerabilities in various parameters, including the listid parameter to "pages/editmailinglist step1.php", the userid parameter to "pages/edituser.php", the fieldid parameter to "pages/editfield.php", and the templateid parameter to "pages/edittemplate step1.php".

Recommendations For CuteFlow version 2.10.0, consider restricting access to the affected pages, specifically "pages/editmailinglist step1.php", "pages/edituser.php", "pages/editfield.php", and "pages/edittemplate step1.php", until a patch is available. As a temporary workaround, avoid using the listid, userid, fieldid, and templateid parameters in the respective API endpoints. At the moment, there is no information about a newer version that contains a fix for this issue.