Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Fix CVE-2014-1608: mc_issue_attachment_get SQL injection
Use of db_query() instead of db_query_bound() allowed SQL injection attacks due to unsanitized use of parameters within the query when using the SOAP API mc_issue_attachment_get. This issue was reported by e-mail by Andrea Barisani from oCERT, on behalf of Martin Herfurt <martin.herfurt@nruns.com>, a security researcher at n.runs professionals GmbH, who discovered the issue during an audit at a customer's site. Fixes #16879 Signed-off-by: Damien Regad <dregad@mantisbt.org> Conflicts: api/soap/mc_file_api.php
- Loading branch information