[Resolved] [Plugin: Subscribe2] SQL injection vulnerabilities
We found at least one error in our logs because unescaped data was being inserted into an SQL statement (we didn’t exploit it, that’s left as an exercise for the reader). Here’s a patch against v8.3 that should hopefully prevent SQL injection attacks or accidents:
I haven’t thoroughly tested it, but it’s a bit less vulnerable at least.
- The topic ‘[Resolved] [Plugin: Subscribe2] SQL injection vulnerabilities’ is closed to new replies.