CVE-2008-1895

Name of the Vulnerable Software and Affected Versions Carbon Communities versions 2.4 and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the ID parameter to "events.asp", the UserName parameter to "getpassword.asp", and possibly an unspecified parameter to "option Update.asp" in an edit action.

Recommendations For Carbon Communities versions 2.4 and earlier, consider restricting access to the affected API endpoints "events.asp", "getpassword.asp", and "option Update.asp" until a patch is available. Avoid using the ID and UserName parameters in the respective endpoints until the issue is resolved.