Multiple SQL injection vulnerabilities in Scout Portal Toolkit (SPT) 1.3.1 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the ParentId parameter in SPT–BrowseResources.php, (2) ResourceId parameter in SPT–FullRecord.php, (3) ResourceOffset parameter in SPT–Home.php, and (4) F_UserName and (5) F_Password in SPT–UserLogin.php. NOTE: it was later reported that vector 1 is also present in 1.4.0.
secunia.com/advisories/17979
www.osvdb.org/21625
www.osvdb.org/21626
www.osvdb.org/21627
www.osvdb.org/21628
www.securityfocus.com/archive/1/491611/100/0/threaded
www.securityfocus.com/bid/15818
www.securityfocus.com/bid/29034
www.vupen.com/english/advisories/2005/2844
www.x-illusion.com/rs/Scout%20Portal%20Toolkit.txt
exchange.xforce.ibmcloud.com/vulnerabilities/23547
exchange.xforce.ibmcloud.com/vulnerabilities/42169
www.exploit-db.com/exploits/5540