CVE-2012-6434

Name of the Vulnerable Software and Affected Versions e107 version 1.0.2

Description The issue allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks. This is achieved through multiple cross-site request forgery (CSRF) vulnerabilities in the e107 admin/download.php file. The vulnerable parameters include download url, download url extended, download author email, download author website, download image, download thumb, download visible, and download class.

Recommendations For e107 version 1.0.2, as a temporary workaround, consider restricting access to the e107 admin/download.php file until a patch is available. Avoid using the vulnerable parameters in this file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.