CVE-2014-1636

Name of the Vulnerable Software and Affected Versions Command School Student Management System version 1.06.01

Description The issue allows remote attackers to execute arbitrary SQL commands via the id parameter in an edit action to various PHP files, including "admin school names.php", "admin subjects.php", "admin grades.php", "admin terms.php", "admin school years.php", "admin sgrades.php", "admin media codes 1.php", "admin infraction codes.php", "admin generations.php", "admin relations.php", "admin titles.php", or "health allergies.php" in the "sw/" directory.

Recommendations For Command School Student Management System version 1.06.01, as a temporary workaround, consider restricting access to the id parameter in the affected PHP files until a patch is available. Avoid using the id parameter in the edit actions to the specified PHP files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.