CVE-2013-7349

Name of the Vulnerable Software and Affected Versions Gnew version 2013.1

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the news id parameter to "news/send.php", the thread id parameter to "posts/edit.php", or the user email parameter to "users/password.php" or "users/register.php".

Recommendations For Gnew version 2013.1, consider disabling the SQL execution functionality in the affected scripts until a patch is available. Restrict access to the "news/send.php", "posts/edit.php", "users/password.php", and "users/register.php" scripts to minimize the risk of exploitation. Avoid using the news id, thread id, and user email parameters in the respective API endpoints until the issue is resolved.