CVE-2013-3729

Name of the Vulnerable Software and Affected Versions Kasseler CMS versions prior to 2 r1232

Description The issue allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks. This can be achieved via the groups[] parameter in a send action in the "sendmail" module or the query parameter in a "sql query" action in the "database" module to "admin.php".

Recommendations For versions prior to 2 r1232, update to version 2 r1232 or later to resolve the issue. As a temporary workaround, consider restricting access to the "sendmail" and "database" modules to minimize the risk of exploitation. Avoid using the groups[] and query parameters in the affected API endpoints until the issue is resolved.