CVE-2014-9178

Name of the Vulnerable Software and Affected Versions Smarty Pants Plugins SP Project & Document Manager plugin versions 2.4.1 and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the vendor email[] parameter in the email vendor function or the id parameter in the download project, download archive, or remove cat functions.

Recommendations For versions 2.4.1 and earlier, update to a version later than 2.4.1 to resolve the issue. As a temporary workaround, consider restricting access to the email vendor, download project, download archive, and remove cat functions until a patch is available. Avoid using the vendor email[] and id parameters in the affected functions until the issue is resolved.