CVE-2015-1428

Name of the Vulnerable Software and Affected Versions Sefrengo versions prior to 1.6.2

Description The issue allows remote attackers to execute arbitrary SQL commands via the sefrengo cookie in a login to "backend/main.php" or remote authenticated users to execute arbitrary SQL commands via the value id parameter in a "save value" action to "backend/main.php".

Recommendations For versions prior to 1.6.2, update to version 1.6.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "backend/main.php" endpoint and validating user input for the value id parameter and sefrengo cookie to minimize the risk of exploitation.