Highly Rated and Recommended
We're rated Excellent 4.2/5 stars on G2 - with 95+ verified reviews
| Issue: |
|
|---|---|
| Date: |
|
| Severity: | Critical |
| Requires Admin Access: | No |
| Fix Version: | 3.6.2 |
| Credit: | Ben Nott based on earlier findings of Elar Lang |
| Description: |
SQL injection via Categories Servlet - does not require authentication. The only concrete exploit we have at this time is against mySQL 5.5. Since this string does get passed to the DB for evaluation, it is possible that an exploit of this vulnerability may be possible on other database engines. We recommend everyone upgrade or take the necessary precautions. |
| Mitigation: |
Restrict URL pattern /categoriesServlet to your administrator's IP range. |
We're rated Excellent 4.2/5 stars on G2 - with 95+ verified reviews