CVE-2015-1514

Name of the Vulnerable Software and Affected Versions FancyFon FAMOC versions prior to 3.17.4

Description The issue allows remote attackers to execute arbitrary SQL commands via the device ID REST parameter in the /ajax.php API endpoint, and also allows remote authenticated users to execute arbitrary SQL commands via the order parameter in the index.php endpoint.

Recommendations For versions prior to 3.17.4, update to version 3.17.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the /ajax.php and index.php endpoints to minimize the risk of exploitation. Avoid using the device ID and order parameters in the affected API endpoints until the issue is resolved.