Please sign in to comment.
Fix CVE-2014-1608: mc_issue_attachment_get SQL injection
Use of db_query() instead of db_query_bound() allowed SQL injection attacks due to unsanitized use of parameters within the query when using the SOAP API mc_issue_attachment_get. This issue was reported by e-mail by Andrea Barisani from oCERT, on behalf of Martin Herfurt <firstname.lastname@example.org>, a security researcher at n.runs professionals GmbH, who discovered the issue during an audit at a customer's site. Fixes #16879 Signed-off-by: Damien Regad <email@example.com> Conflicts: api/soap/mc_file_api.php
- Loading branch information...