Invision Community before 4.7.16 allow SQL injection via...
Critical severity
Unreviewed
Published
Jun 7, 2024
to the GitHub Advisory Database
•
Updated Aug 8, 2024
Description
Published by the National Vulnerability Database
Jun 7, 2024
Published to the GitHub Advisory Database
Jun 7, 2024
Last updated
Aug 8, 2024
Invision Community before 4.7.16 allow SQL injection via the applications/nexus/modules/front/store/store.php IPS\nexus\modules\front\store_store::_categoryView() method, where user input passed through the filter request parameter is not properly sanitized before being used to execute SQL queries. This can be exploited by unauthenticated attackers to carry out Blind SQL Injection attacks.
References