CVE-2012-4260

Name of the Vulnerable Software and Affected Versions myCare2x (affected versions not specified)

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters in different PHP files, including aktion or callurl in 'modules/patient/mycare2x pat info.php', dept nr or pid in 'modules/importer/mycare2x importer.php', myOpsEintrag or keyword in a 'Suchen' action to 'modules/drg/mycare2x proc search.php', or name last or pid in 'modules/patient/mycare pid.php'.

Recommendations For myCare2x, consider restricting access to the vulnerable parameters aktion, callurl, dept nr, pid, myOpsEintrag, keyword, name last to minimize the risk of exploitation. As a temporary workaround, consider disabling the SQL execution functionality in the affected PHP files until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.