CVE-2014-9435

Name of the Vulnerable Software and Affected Versions Absolut Engine version 1.73

Description The issue allows remote authenticated users to execute arbitrary SQL commands. This can be achieved via several parameters, including the sectionID parameter to "admin/managersection.php", the userID parameter to "admin/edituser.php", the username parameter to "admin/admin.php", or the title parameter to "admin/managerrelated.php".

Recommendations For Absolut Engine version 1.73, consider restricting access to the affected API endpoints, specifically "admin/managersection.php", "admin/edituser.php", "admin/admin.php", and "admin/managerrelated.php", until a patch is available. Avoid using the parameters sectionID, userID, username, and title in the respective endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.