CVE-2012-4971

Name of the Vulnerable Software and Affected Versions Layton Helpbox version 4.4.0

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via various parameters, including reqclass, sys request id, confirm, searchsql, back, status, sys userpwd, sql, and site, in different ASP pages such as editrequestenduser.asp, editrequestuser.asp, enduseractions.asp, enduserreopenrequeststatus.asp, enduserrequests.asp, validateenduserlogin.asp, validateuserlogin.asp, editenduseruser.asp, manageenduserrequestclasses.asp, resetpwdenduser.asp, disableloginenduser.asp, deleteenduseruser.asp, manageendusers.asp, and statsrequestagereport.asp.

Recommendations For Layton Helpbox version 4.4.0, consider disabling the parameters reqclass, sys request id, confirm, searchsql, back, status, sys userpwd, and sql in the respective ASP pages until a patch is available. Restrict access to the site parameter in statsrequestagereport.asp to minimize the risk of exploitation. Avoid using the vulnerable parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.