Remco Verhoef

**Name of the Vulnerable Software and Affected Versions** Analysis Console for Intrusion Databases (ACID) version 0.9.6b20 Basic Analysis and Security Engine (BASE) version 1.2 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved through SQL injection vulnerabilities in certain console scripts, including acid qry main.php in ACID and base qry main.php in BASE. The `sig[1]` parameter is specifically mentioned as a vector for this attack, and it is possible that other parameters are also vulnerable. **Recommendations** For Analysis Console for Intrusion Databases (ACID) version 0.9.6b20, consider restricting access to the `acid qry main.php` script until a patch is available. For Basic Analysis and Security Engine (BASE) version 1.2, consider restricting access to the `base qry main.php` script until a patch is available. Avoid using the `sig[1]` parameter in the affected API endpoints until the issue is resolved.