CVE-2009-1812 Information

Description

Multiple SQL injection vulnerabilities in myGesuad 0.9.14 (aka 0.9) allow remote attackers to execute arbitrary SQL commands via (1) the formUser parameter (aka the Name field) to common/login.php and allow remote authenticated users to execute arbitrary SQL commands via the ID parameter in a Detail action to (2) kategorie.php (3) budget.php (4) zahlung.php or (5) adresse.php in modules/ related to classes/class.perform.php.

Reference

http://secunia.com/advisories/35110 http://www.collector.ch/drupal5/?q=node/39 http://www.securityfocus.com/bid/34998 http://www.vupen.com/english/advisories/2009/1345 https://www.exploit-db.com/exploits/8708