PT-2008-4487 · Octeth · Octeth Oempro

Published

2008-12-03

Updated

2017-08-08

CVE-2008-3058

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions: Octeth Oempro versions prior to 4

Description: The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the FormValue Email parameter to "index.php" in various directories, or the FormValue SearchKeywords parameter to "client/campaign track.php".

Recommendations: For versions prior to 4, update to version 4 or later to resolve the issue. As a temporary workaround, consider restricting access to the FormValue Email and FormValue SearchKeywords parameters in the affected API endpoints until a patch is available. Avoid using the FormValue Email parameter in "index.php" and the FormValue SearchKeywords parameter in "client/campaign track.php" until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2008-3058

Affected Products

Octeth Oempro

PT-2008-4487 · Octeth · Octeth Oempro

CVE-2008-3058

Weakness Enumeration

Related Identifiers

Affected Products

References · 8