CVE-2009-4742

Name of the Vulnerable Software and Affected Versions Docebo version 3.6.0.3

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved through several API endpoints, including "index.php" with specific parameters: (1) the word parameter in a "play help" action to the "faq" module, (2) the word parameter in a "play keyw" action to the "link" module, (3) the id certificate parameter in an "elemmetacertificate" action to the "meta certificate" module, or (4) the id certificate parameter in an "elemcertificate" action to the "certificate" module.

Recommendations For Docebo version 3.6.0.3, consider disabling the SQL execution functionality or restricting access to the vulnerable modules until a patch is available. As a temporary workaround, avoid using the word parameter in the "faq" and "link" modules, and the id certificate parameter in the "meta certificate" and "certificate" modules. At the moment, there is no information about a newer version that contains a fix for this vulnerability.