CVE-2006-3010

Name of the Vulnerable Software and Affected Versions Open Business Management (OBM) version 1.0.3 pl1

Description The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via multiple parameters to various API endpoints, including new order and order dir parameters to endpoints such as "index.php", "group/group index.php", "user/user index.php", "list/list index.php", and "company/company index.php", as well as the entity and tf dateafter parameters to "company/company index.php".

Recommendations For Open Business Management (OBM) version 1.0.3 pl1, consider restricting access to the vulnerable API endpoints, such as "index.php", "group/group index.php", "user/user index.php", "list/list index.php", and "company/company index.php", until a patch is available. Avoid using the new order, order dir, entity, and tf dateafter parameters in the affected endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.