CVE-2017-17970

Name of the Vulnerable Software and Affected Versions: Muviko version 1.1

Description: The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters, including the email parameter to "login.php", the season id parameter to "themes/flixer/ajax/load season.php", the movie id parameter to "themes/flixer/ajax/get rating.php", the rating or movie id parameter to "themes/flixer/ajax/update rating.php", or the id parameter to "themes/flixer/ajax/set player source.php".

Recommendations: For Muviko version 1.1, consider disabling the affected API endpoints, specifically "login.php", "themes/flixer/ajax/load season.php", "themes/flixer/ajax/get rating.php", "themes/flixer/ajax/update rating.php", and "themes/flixer/ajax/set player source.php", until a patch is available. Additionally, restrict the use of the vulnerable parameters email, season id, movie id, rating, and id to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.