CVE-2010-4780

Name of the Vulnerable Software and Affected Versions Enano CMS versions 1.0.6pl2 through 1.0.6pl2 and 1.1.7pl1

Description The issue allows remote attackers to execute arbitrary SQL commands via the email parameter to "index.php". This is due to a SQL injection vulnerability in the check banlist function in includes/sessions.php.

Recommendations For Enano CMS version 1.1.7pl1, update to version 1.1.8 or later. For Enano CMS version 1.0.6pl2, update to version 1.0.6pl3 or later. As a temporary workaround, consider restricting access to the check banlist function in includes/sessions.php until a patch is available. Avoid using the email parameter in the "index.php" endpoint until the issue is resolved.