CVE-2006-0897

Name of the Vulnerable Software and Affected Versions VCS Virtual Program Management Intranet (VPMi) Enterprise version 3.3

Description A SQL injection issue allows remote attackers to execute arbitrary SQL commands via the UpdateID0 parameter to "Service Requests.asp". The vendor has disputed this issue, stating that their complex state management system protects against this type of SQL injection. However, further investigation suggests that the original researcher might have triggered errors using invalid field values, which is not proof of SQL injection.

Recommendations For version 3.3, as a temporary workaround, consider restricting access to the "Service Requests.asp" endpoint until the issue is resolved. Avoid using the UpdateID0 parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.