CVE-2009-1812

Name of the Vulnerable Software and Affected Versions: myGesuad version 0.9.14

Description: The issue allows remote attackers to execute arbitrary SQL commands via the formUser parameter in the /common/login.php API endpoint. Additionally, remote authenticated users can execute arbitrary SQL commands via the ID parameter in a Detail action to several API endpoints, including /modules/kategorie.php, /modules/budget.php, /modules/zahlung.php, and /modules/adresse.php. This is related to the classes/class.perform.php file.

Recommendations: For myGesuad version 0.9.14, consider restricting access to the vulnerable API endpoints, such as /common/login.php, /modules/kategorie.php, /modules/budget.php, /modules/zahlung.php, and /modules/adresse.php, until a patch is available. As a temporary workaround, avoid using the formUser and ID parameters in the affected API endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.