CVE-2015-8355

Name of the Vulnerable Software and Affected Versions Bitrix orion.extfeedbackform module versions prior to 2.1.3

Description The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved via the order or "by" parameter to the "admin/orion.extfeedbackform efbf forms.php" endpoint.

Recommendations For versions prior to 2.1.3, update the orion.extfeedbackform module to version 2.1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "admin/orion.extfeedbackform efbf forms.php" endpoint and avoid using the order or "by" parameters until the update is applied.