CVE-2009-2326

Name of the Vulnerable Software and Affected Versions KerviNet Forum versions 1.1 and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via two methods: (1) an enter parol cookie to "index.php" in an auto action, or (2) the topic parameter to "message.php". The second method can also be used for a cross-site scripting (XSS) attack.

Recommendations For KerviNet Forum versions 1.1 and earlier, consider disabling the index.php auto action and restricting access to the message.php endpoint until a fix is available. Avoid using the enter parol cookie and the topic parameter in the affected API endpoints to minimize the risk of exploitation.