CVE-2007-2577

Name of the Vulnerable Software and Affected Versions ACP3 version 4.0 beta 3

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the "mode" parameter to "feeds.php", the "form[cat]" parameter to "news/list/index.php" or certain "news/details/id */action create/index.php" files, or the "form[mods][]" parameter to "search/list/action search/index.php".

Recommendations For ACP3 version 4.0 beta 3, consider restricting access to the affected API endpoints, such as "feeds.php", "news/list/index.php", "news/details/id */action create/index.php", and "search/list/action search/index.php", until a patch is available. As a temporary workaround, avoid using the mode parameter in "feeds.php", the form[cat] parameter in "news/list/index.php" or "news/details/id */action create/index.php", and the form[mods][] parameter in "search/list/action search/index.php" to minimize the risk of exploitation.