CVE-2010-3267

Name of the Vulnerable Software and Affected Versions BugTracker.NET versions prior to 3.4.5

Description The issue allows remote authenticated users to execute arbitrary SQL commands. This can be achieved via several parameters, including qu id in "bugs.aspx", row id in "delete query.aspx", new project or us id in "edit bug.aspx", and bug list in "massedit.aspx".

Recommendations For versions prior to 3.4.5, update to version 3.4.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints, such as "bugs.aspx", "delete query.aspx", "edit bug.aspx", and "massedit.aspx", and avoid using the vulnerable parameters qu id, row id, new project, us id, and bug list until the update is applied.