CVE-2009-3040

Name of the Vulnerable Software and Affected Versions: OCS Inventory NG version 1.02 for Unix

Description: The issue allows remote attackers to execute arbitrary SQL commands. This is achieved through SQL injection vulnerabilities in the download.php and group show.php scripts. The vulnerable parameters are N, DL, O, V in download.php and SYSTEMID in group show.php.

Recommendations: For OCS Inventory NG version 1.02 for Unix, as a temporary workaround, consider restricting access to the download.php and group show.php scripts until a patch is available. Avoid using the parameters N, DL, O, V in the download.php script and the SYSTEMID parameter in the group show.php script to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.