CVE-2018-11772

Name of the Vulnerable Software and Affected Versions Apache VCL versions 2.1 through 2.5

Description The issue arises from improper validation of cookie input when determining the previously selected node in the privilege tree. This input is then used in an SQL statement, allowing for an SQL injection attack. Access to the vulnerable portion of the system requires admin-level rights, and other security layers seem to protect against malicious attacks. It is estimated that all VCL systems running versions earlier than 2.5.1 are potentially affected.

Recommendations For Apache VCL versions 2.1 through 2.5, upgrade or patch to a version 2.5.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the privilege tree functionality to minimize the risk of exploitation.