CVE-2011-5071 Information

Description

Multiple SQL injection vulnerabilities in Support Incident Tracker (aka SiT!) before 3.64 allow remote attackers to execute arbitrary SQL commands via the (1) exc[] parameter to report_marketing.php (2) selected[] parameter to tasks.php (3) sites[] parameter to billable_incidents.php or (4) search_string parameter to search.php. NOTE: some of these details are obtained from third party information.

Reference

http://en.securitylab.ru/lab/PT-2011-25 http://seclists.org/bugtraq/2011/Jul/174 http://secunia.com/advisories/45277 http://secunia.com/advisories/45437 http://sitracker.org/wiki/ReleaseNotes364