CVE-2007-6498

Name of the Vulnerable Software and Affected Versions Hosting Controller versions prior to 6.1 Hot fix 3.3

Description The issue allows remote authenticated users to execute arbitrary SQL commands. This can be achieved via the email and loginname parameters to "Hosting/Addreseller.asp", the sortfield parameter to "accounts/accountmanager.asp", the GateWayID parameter to "OpenApi/GatewayVariables.asp", and possibly other vectors to "IIS/iibind.asp".

Recommendations For Hosting Controller versions prior to 6.1 Hot fix 3.3, update to version 6.1 Hot fix 3.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints, such as "Hosting/Addreseller.asp", "accounts/accountmanager.asp", "OpenApi/GatewayVariables.asp", and "IIS/iibind.asp", until a patch is applied. Avoid using the email, loginname, sortfield, and GateWayID parameters in the respective affected API endpoints until the issue is resolved.