CVE-2006-5608
Description
SQL injection vulnerability in Drupal Extended Tracker module allows remote attackers to execute arbitrary SQL commands via unsanitized URL parameters, potentially gaining admin privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in Drupal Extended Tracker module allows remote attackers to execute arbitrary SQL commands via unsanitized URL parameters, potentially gaining admin privileges.
Vulnerability
The Extended Tracker (xtracker) module for Drupal 4.7 versions prior to 1.5.2.1 contains a SQL injection vulnerability. The module accepts parameters from URLs and uses them unescaped in SQL queries, allowing attackers to inject arbitrary SQL commands [1].
Exploitation
An attacker can exploit this vulnerability remotely by crafting a URL with malicious SQL parameters. No authentication is required, as the vulnerable code path is reachable from the public-facing interface [1].
Impact
Successful exploitation allows the attacker to execute arbitrary SQL commands, potentially leading to the disclosure or alteration of database contents and, as stated in the advisory, gaining administrator privileges [1].
Mitigation
The vulnerability is fixed in version 1.5.2.1 of the Extended Tracker module for Drupal 4.7. Users should upgrade to this version immediately [1]. No workaround is available. The Drupal core is not affected, and the 4.6 version of xtracker is not vulnerable.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2cpe:2.3:a:drupal:extended_tracker:4.7:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:drupal:extended_tracker:4.7:*:*:*:*:*:*:*
- (no CPE)range: <1.5.2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.