CVE-2011-5072

Name of the Vulnerable Software and Affected Versions Support Incident Tracker (aka SiT!) versions prior to 3.65

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via various parameters in different PHP files, including the start parameter to "portal/kb.php", the contractid parameter to "contract add service.php", the id parameter to "edit escalation path.php", the unlock, lock, or selected parameter to "holding queue.php", the inc parameter in a report action to "report customers.php" or "report incidents by site.php", the start parameter to "search.php", or the sites parameter to "transactions.php".

Recommendations For versions prior to 3.65, update to version 3.65 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected PHP files until a patch is available. Avoid using the vulnerable parameters in the affected API endpoints until the issue is resolved.