CVE-2006-6177

Name of the Vulnerable Software and Affected Versions Neocrome Seditio versions 1.10 and earlier

Description The issue allows remote authenticated users to execute arbitrary SQL commands via a double-url-encoded id parameter to "users.php" that begins with a valid filename. This can be demonstrated by using a filename such as "default.gif" followed by an encoded NULL and ' (apostrophe) (%2500%2527).

Recommendations For Neocrome Seditio versions 1.10 and earlier, consider restricting access to the "users.php" endpoint until a fix is available, and avoid using the id parameter in this endpoint to minimize the risk of exploitation.