CVE-2006-2748

Name of the Vulnerable Software and Affected Versions Open Searchable Image Catalogue (OSIC) versions prior to 0.7.0.1

Description The issue allows remote attackers to inject arbitrary SQL commands via multiple vectors. This is demonstrated by the type parameter in "adminfunctions.php" and the catalogue id parameter in "editcatalogue.php".

Recommendations For versions prior to 0.7.0.1, update to version 0.7.0.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the do mysql query function in "core.php" until a patch is available. Avoid using the type parameter in "adminfunctions.php" and the catalogue id parameter in "editcatalogue.php" until the issue is resolved.