CVE-2009-2389

Name of the Vulnerable Software and Affected Versions USOLVED NEWSolved version 1.1.6

Description The issue allows remote attackers to execute arbitrary SQL commands due to multiple SQL injection vulnerabilities in the newsscript.php file when magic quotes gpc is disabled. This can be achieved via the jahr or idneu parameter in an archive action, or the newsid parameter.

Recommendations For USOLVED NEWSolved version 1.1.6, consider disabling the archive action or restricting access to the newsscript.php file until a patch is available. Additionally, enabling magic quotes gpc can help mitigate the risk of SQL injection attacks. Avoid using the jahr, idneu, and newsid parameters in the affected API endpoint until the issue is resolved.