CVE-2015-2146

Name of the Vulnerable Software and Affected Versions phpBugTracker versions prior to 1.7.0

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters, including the id parameter to "project.php", the group id parameter to "group.php", the status id parameter to "status.php", the resolution id parameter to "resolution.php", the severity id parameter to "severity.php", the priority id parameter to "priority.php", the os id parameter to "os.php", or the site id parameter to "site.php".

Recommendations For phpBugTracker versions prior to 1.7.0, update to version 1.7.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints, such as "project.php", "group.php", "status.php", "resolution.php", "severity.php", "priority.php", "os.php", and "site.php", until a patch is applied. Avoid using the parameters id, group id, status id, resolution id, severity id, priority id, os id, and site id in the respective affected endpoints until the issue is resolved.