Ektron CMS400.NET ContentRatingGraph.aspx SQL injection
Description
Ektron CMS400.NET contains a SQL injection vulnerability in the ContentRatingGraph.aspx component. The 'res' parameter fails to properly sanitize user input before incorporating it into SQL queries, allowing unauthenticated remote attackers to inject malicious SQL commands. This vulnerability enables attackers to manipulate database queries and compromise the integrity of the underlying database system.
Remediation
Apply the following remediation steps immediately:
1. Upgrade Ektron CMS to the latest patched version that addresses CVE-2008-5122
2. If immediate patching is not possible, implement input validation and parameterized queries for the 'res' parameter in ContentRatingGraph.aspx
3. Deploy a Web Application Firewall (WAF) with rules to detect and block SQL injection attempts as a temporary mitigation
4. Review database access logs for any suspicious activity or unauthorized access attempts
5. Ensure the database account used by the CMS operates with minimum required privileges to limit potential damage from exploitation
Contact Ektron support for specific patch information and version guidance for your deployment.