CVE-2015-1576

Name of the Vulnerable Software and Affected Versions u5CMS versions prior to 3.9.4

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several API endpoints, including "copy2.php", "localize.php", "metai.php", "nc.php", "new2.php", and "rename2.php" in the "u5admin/" directory, by manipulating the name parameter. Additionally, the "c" parameter in "u5admin/editor.php", the typ parameter in "u5admin/meta2.php", and the newname parameter in "u5admin/rename2.php" are also vulnerable.

Recommendations For versions prior to 3.9.4, update to version 3.9.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints and parameters, such as name, c, typ, and newname, until a patch is applied.