CVE-2008-4356

Name of the Vulnerable Software and Affected Versions: Kasseler CMS versions 1.1.0 through 1.2.0

Description: The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters, including the nid parameter to "index.php" in a View action to the News module, the vid parameter to "index.php" in a Result action to the Voting module, the fid parameter to "index.php" in a ShowForum action to the Forum module, the tid parameter to "index.php" in a ShowTopic action to the Forum module, the uname parameter to "index.php" in a UserInfo action to the Account module, or the module parameter to "index.php", which is probably related to the TopSites module.

Recommendations: For Kasseler CMS version 1.1.0, update to a version that fixes the SQL injection vulnerabilities. For Kasseler CMS version 1.2.0, update to a version that fixes the SQL injection vulnerabilities. As a temporary workaround, consider restricting access to the vulnerable modules, such as the News, Voting, Forum, and Account modules, until a patch is available. Avoid using the parameters nid, vid, fid, tid, uname, and module in the affected API endpoints until the issue is resolved.