CVE-2017-12585

Name of the Vulnerable Software and Affected Versions SLiMS versions 8 Akasia through 8.3.1

Description The issue allows for SQL injection through specific parameters and files, including tableName and tableFields in admin/AJAX lookup handler.php, as well as vulnerabilities in admin/AJAX check id.php and admin/AJAX vocabolary control.php. This can be exploited by remote authenticated librarian users.

Recommendations For versions 8 Akasia through 8.3.1, consider restricting access to the vulnerable files admin/AJAX lookup handler.php, admin/AJAX check id.php, and admin/AJAX vocabolary control.php until a patch is available. As a temporary workaround, avoid using the tableName and tableFields parameters in the affected API endpoints.