CVE-2006-4444 Information

Description

Multiple SQL injection vulnerabilities in Cybozu Garoon 2.1.0 for Windows allow remote authenticated users to execute arbitrary SQL commands via the (1) tid parameter in the (a) todo/view (aka TODO List View) (b) todo/modify (aka TODO List Modify) or (c) todo/delete functionality; the (2) pid parameter in the (d) workflow/view or (e) workflow/print functionality; the (3) uid parameter in the (f) schedule/user_view (g) phonemessage/add (h) phonemessage/history or (i) schedule/view functionality; the (4) cid parameter in (j) todo/index; the (5) iid parameter in the (k) memo/view or (l) memo/print functionality; or the (6) event parameter in the (m) schedule/view functionality.

Reference

http://cybozu.co.jp/products/dl/notice_060825/ http://secunia.com/advisories/21664 http://vuln.sg/cybozugaroon-en.html http://www.osvdb.org/28361 http://www.osvdb.org/28362 http://www.osvdb.org/28363 http://www.osvdb.org/28364 http://www.osvdb.org/28365 http://www.osvdb.org/28366 http://www.securityfocus.com/bid/19731 http://www.vupen.com/english/advisories/2006/3399 https://exchange.xforce.ibmcloud.com/vulnerabilities/28594