CVE-2008-5998

Name of the Vulnerable Software and Affected Versions Ajax Checklist module versions prior to 5.x-1.1 for Drupal

Description The issue allows remote authenticated users with "update ajax checklists" permissions to execute arbitrary SQL commands via a save operation. This is related to the nid, qid, and state parameters in the ajax checklist save function.

Recommendations For Ajax Checklist module versions prior to 5.x-1.1, update to version 5.x-1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the ajax checklist save function or limiting the "update ajax checklists" permissions to minimize the risk of exploitation. Avoid using the nid, qid, and state parameters in the affected function until the issue is resolved.