CVE-2012-2937

Name of the Vulnerable Software and Affected Versions Pligg CMS versions prior to 1.2.2

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved through several parameters in different actions and files, including the "list" parameter in a move action to "admin/admin index.php", the "display" parameter in a minimize action to "admin/admin index.php", the "enabled[]" parameter to "admin/admin users.php", or the "msg id" to the "module.php" in the simple messaging module.

Recommendations For Pligg CMS versions prior to 1.2.2, update to version 1.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "admin/admin index.php", "admin/admin users.php", and "module.php" in the simple messaging module to minimize the risk of exploitation. Avoid using the parameters list, display, enabled[], and msg id in the affected actions until the issue is resolved.