CVE-2012-5849

Name of the Vulnerable Software and Affected Versions ClipBucket versions 2.6 Revision 738 and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via various parameters in different actions to "ajax.php", including the uid parameter in an "add friend" action, id parameter in "share object", "add to fav", "rating", or "flag object" actions, cid parameter in "add new item", "remove collection item", "get item", or "load more items" actions, and ci id parameter in a "get item" action. Additionally, vulnerabilities exist in the user parameter to "user contacts.php" or "view channel.php", pid parameter to "view page.php", tid parameter to "view topic.php", and v parameter to "watch video.php".

Recommendations For ClipBucket versions 2.6 Revision 738 and earlier, consider disabling the vulnerable parameters, such as uid, id, cid, ci id, user, pid, tid, and v, in their respective actions and scripts until a patch is available. Restrict access to the affected scripts, including "ajax.php", "user contacts.php", "view channel.php", "view page.php", "view topic.php", and "watch video.php", to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.