CVE-2011-5071

Name of the Vulnerable Software and Affected Versions Support Incident Tracker (aka SiT!) versions prior to 3.64

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters, including the exc[] parameter to "report marketing.php", the selected[] parameter to "tasks.php", the sites[] parameter to "billable incidents.php", or the search string parameter to "search.php".

Recommendations For versions prior to 3.64, update to version 3.64 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints, such as "report marketing.php", "tasks.php", "billable incidents.php", and "search.php", until a patch is available. Avoid using the exc[], selected[], sites[], and search string parameters in the respective affected endpoints until the issue is resolved.