CVE-2008-4080

Name of the Vulnerable Software and Affected Versions Stash version 1.0.3

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the username parameter to "admin/library/authenticate.php" and the download parameter to "downloadmp3.php", when magic quotes gpc is disabled.

Recommendations For Stash version 1.0.3, consider disabling the username and download parameters in the respective API endpoints until a patch is available. Restrict access to "admin/library/authenticate.php" and "downloadmp3.php" to minimize the risk of exploitation. Avoid using the username and download parameters in the affected endpoints until the issue is resolved.