CVE-2015-7299

Name of the Vulnerable Software and Affected Versions K2 blackpearl version 4.6.7 K2 smartforms version 4.6.7 K2 for SharePoint version 4.6.7

Description The issue allows remote attackers to execute arbitrary SQL commands via the xml parameter in the Runtime/Runtime/AjaxCall.ashx file. This can be exploited by sending malicious input to the affected endpoint.

Recommendations For K2 blackpearl version 4.6.7, consider restricting access to the Runtime/Runtime/AjaxCall.ashx file until a patch is available. For K2 smartforms version 4.6.7, avoid using the xml parameter in the affected API endpoint until the issue is resolved. For K2 for SharePoint version 4.6.7, as a temporary workaround, consider disabling the AjaxCall.ashx file to prevent exploitation.