CVE-2007-2339

Name of the Vulnerable Software and Affected Versions Phorum versions prior to 5.1.22

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved through multiple vectors, including a modified recipients parameter name in "pm.php", the curr parameter to the "badwords" or "banlist" module in "admin.php", or the "Edit groups / Add group" field in the "groups" module in "admin.php".

Recommendations For Phorum versions prior to 5.1.22, update to version 5.1.22 or later to resolve the issue. As a temporary workaround, consider restricting access to the "pm.php", "admin.php" files, specifically the "badwords", "banlist", and "groups" modules, until a patch is applied. Avoid using the recipients and curr parameters in the affected API endpoints until the issue is resolved.