CVE-2014-1401

Name of the Vulnerable Software and Affected Versions AuraCMS versions 2.3 and earlier

Description The issue allows remote authenticated users to execute arbitrary SQL commands. This can be achieved via the search parameter to "mod/content/content.php" or through the CLIENT IP, X FORWARDED FOR, X FORWARDED, FORWARDED FOR, or FORWARDED HTTP headers to "index.php".

Recommendations For AuraCMS versions 2.3 and earlier, update to a version later than 2.3 to resolve the issue. As a temporary workaround, consider restricting access to the "mod/content/content.php" and "index.php" files to minimize the risk of exploitation. Avoid using the search parameter in the affected API endpoint until the issue is resolved. Restrict the use of the CLIENT IP, X FORWARDED FOR, X FORWARDED, FORWARDED FOR, or FORWARDED HTTP headers in "index.php" to prevent SQL injection attacks.