CVE-2014-6030

Name of the Vulnerable Software and Affected Versions ClassApps SelectSurvey.NET versions prior to 4.125.002

Description The issue allows remote attackers to execute arbitrary SQL commands via the SurveyID parameter to "/survey/ReviewReadOnlySurvey.aspx" or remote authenticated users to execute arbitrary SQL commands via the SurveyID parameter to "/survey/UploadImagePopupToDb.aspx".

Recommendations For versions prior to 4.125.002, update to version 4.125.002 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/survey/ReviewReadOnlySurvey.aspx" and "/survey/UploadImagePopupToDb.aspx" API endpoints until the update is applied. Avoid using the SurveyID parameter in these endpoints until the issue is resolved.