[原文]Multiple SQL injection vulnerabilities in CategoryResults.cfm in Honeycomb Archive and Honeycomb Archive Enterprise 3.0 allow remote attackers to execute arbitrary SQL commands via the (1) series, (2) cat_parent, (3) cat, and (4) div parameters.
Honeycomb Archive contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the CategoryResults.cfm script not properly sanitizing user-supplied input to the 'series', 'cat_parent', 'cat' and 'div' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
Upgrade to version 4.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.