[原文]Multiple SQL injection vulnerabilities in Enterprise Connector 1.0.2 and earlier allow remote attackers to execute arbitrary SQL commands via the messageid parameter in (1) send.php or (2) a delete action in messages.php.
Enterprise Connector contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the send.php script not properly sanitizing user-supplied input to the 'messageid' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Enterprise Connector is prone to SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.
Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.