CVE-2007-6433

Name of the Vulnerable Software and Affected Versions JBoss Seam versions prior to 2.0.0.CR3

Description The issue allows remote attackers to inject and execute arbitrary EJBQL commands. This is possible due to a flaw in the getRenderedEjbql method in the org.jboss.seam.framework.Query class. The order parameter is specifically vulnerable to this type of injection.

Recommendations For JBoss Seam versions prior to 2.0.0.CR3, update to version 2.0.0.CR3 or later to resolve the issue. As a temporary workaround, consider restricting access to the getRenderedEjbql method in the org.jboss.seam.framework.Query class to minimize the risk of exploitation. Avoid using the order parameter in affected queries until the issue is resolved.