CVE-2009-2123

Name of the Vulnerable Software and Affected Versions Elvin versions 1.2.0 through 1.2.2

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the inUser (aka Username) and inPass (aka Password) parameters to "inc/login.ei", which is reachable through "login.php", and the id parameter to "show bug.php" and "show activity.php".

Recommendations For Elvin version 1.2.0, consider disabling the login functionality until a patch is available. For Elvin version 1.2.2, restrict access to the "show bug.php" and "show activity.php" pages to minimize the risk of exploitation. Avoid using the inUser and inPass parameters in the "inc/login.ei" endpoint, and the id parameter in the "show bug.php" and "show activity.php" endpoints, until the issue is resolved.