Corey Lebleu

**Name of the Vulnerable Software and Affected Versions** Citrix Application Gateway - Broadcast Server (BCS) versions prior to 6.1 Avaya AG250 - Broadcast Server versions prior to 2.0 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands via the `txtUID` parameter in the "login.asp" file. **Recommendations** For Citrix Application Gateway - Broadcast Server (BCS) versions prior to 6.1, update to version 6.1 or later. For Avaya AG250 - Broadcast Server versions prior to 2.0, update to version 2.0 or later. As a temporary workaround, consider restricting access to the `login.asp` file until a patch is available. Avoid using the `txtUID` parameter in the affected login endpoint until the issue is resolved.