CVE-2014-2531

Name of the Vulnerable Software and Affected Versions InterWorx Web Control Panel versions prior to 5.0.14 build 577

Description The issue allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the NodeWorx, SiteWorx, or Resellers interface. This can be demonstrated by the "or" key in a pgn8state object in an i object in a JSON object.

Recommendations For versions prior to 5.0.14 build 577, update to version 5.0.14 build 577 or later to resolve the issue. As a temporary workaround, consider restricting access to the xhr.php file or disabling the search action in the NodeWorx, SiteWorx, or Resellers interface until a patch is available. Avoid using the i parameter in the affected API endpoint until the issue is resolved.