CVE-2008-2446

Name of the Vulnerable Software and Affected Versions: Web Group Communication Center (WGCC) versions 1.0.3 PreRelease 1 and earlier

Description: The issue allows remote authenticated users to execute arbitrary SQL commands. This can be achieved via several parameters, including the userid parameter to "profile.php" in a "show moreinfo" action, the bildid parameter to "picturegallery.php" in a "shownext" action, the id parameter to "filebase.php" in a "freigeben" action, "schedule.php" in a "del" action, and "profile.php" in an "observe" action, the pmid parameter in a "delete" action, and the folderid parameter in a "showfolder" action to "message.php".

Recommendations: For Web Group Communication Center (WGCC) versions 1.0.3 PreRelease 1 and earlier, consider disabling the affected parameters, such as userid, bildid, id, pmid, and folderid, in their respective actions until a patch is available. Restrict access to the affected scripts, including "profile.php", "picturegallery.php", "filebase.php", "schedule.php", and "message.php", to minimize the risk of exploitation.