[原文]SQL injection vulnerability in authent.php4 in Nicolas Fischer (aka NFec) RechnungsZentrale V2 1.1.3, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the User field.
RechnungsZentrale V2 mod/authent.php4 user Parameter SQL Injection
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
RechnungsZentrale V2 contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the mod/authent.php4 script not properly sanitizing user-supplied input to the 'user' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.