CVE-2012-3471

Name of the Vulnerable Software and Affected Versions Ushahidi Platform versions prior to 2.5

Description The issue concerns SQL injection vulnerabilities in the edit functions of certain PHP files within the Ushahidi Platform. Specifically, the vulnerabilities are located in the application/controllers/admin/reports.php and application/controllers/members/reports.php files. These vulnerabilities allow remote attackers to execute arbitrary SQL commands via an incident id.

Recommendations For versions prior to 2.5, update to version 2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the reports.php files in the admin and members controllers to minimize the risk of exploitation. Avoid using the incident id parameter in the affected API endpoints until the issue is resolved.