CVE-2006-4444

Name of the Vulnerable Software and Affected Versions Cybozu Garoon version 2.1.0 for Windows

Description The issue allows remote authenticated users to execute arbitrary SQL commands. This can be achieved via various parameters in different functionalities, including the tid parameter in 'todo/view', 'todo/modify', or 'todo/delete' functionality; the pid parameter in 'workflow/view' or 'workflow/print' functionality; the uid parameter in 'schedule/user view', 'phonemessage/add', 'phonemessage/history', or 'schedule/view' functionality; the cid parameter in 'todo/index'; the iid parameter in 'memo/view' or 'memo/print' functionality; or the event parameter in 'schedule/view' functionality.

Recommendations For Cybozu Garoon version 2.1.0 for Windows, consider disabling the functionalities that utilize the vulnerable parameters until a patch is available. Specifically, restrict access to the 'todo/view', 'todo/modify', 'todo/delete', 'workflow/view', 'workflow/print', 'schedule/user view', 'phonemessage/add', 'phonemessage/history', 'schedule/view', 'todo/index', 'memo/view', and 'memo/print' functionalities to minimize the risk of exploitation. Avoid using the tid, pid, uid, cid, iid, and event parameters in the respective API endpoints until the issue is resolved.