There are not workarounds for this issue.
Octopus lg 2.0.9 upgrade#
Users are advised to upgrade as soon as possible. In particular usernames, email addresses, and passwords provided by the user were not sanitized and were used directly to construct a sql statement. In affected versions USOC allows for SQL injection via register.php. USOC is an open source CMS with a focus on simplicity. The only users permitted to search are site admins. In search terms provided by the user were not sanitized and were used directly to construct a sql statement. In affected versions USOC allows for SQL injection via usersearch.php. Users unable to upgrade as advised to not use the `old()` function and form_helper nor `RedirectResponse::withInput()` and `redirect()->withInput()`. Users are advised to upgrade to v4.1.6 or later. We are aware of a working exploit, which can lead to SQL injection.
Octopus lg 2.0.9 code#
Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. There are no known workarounds for this vulnerability.ĬodeIgniter is an open source PHP full-stack web framework. We strongly recommend that you keep auto-updates enabled.
Older affected versions are also fixed via security release, that go back till 3.7.37. This has been patched in WordPress version 5.8.3. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. USOC version Pb2.4Bfx3 contains a fixed version of `admin/pages/useredit.php`. Users should replace the file `admin/pages/useredit.php` with a newer version. Versions prior to Pb2.4Bfx3 allowed Sql injection in usersearch.php only for users with administrative privileges. Useful Simple Open-Source CMS (USOC) is a content management system (CMS) for programmers.
An unauthenticated remote attacker can inject SQL commands into the input field of the login page to acquire administrator’s privilege and perform arbitrary operations on the system or disrupt service. The Le-yan dental management system contains an SQL-injection vulnerability.