New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SQL injection vulnerability in type parameter #90

Open

blanderson22 opened this issue Dec 1, 2021 · 1 comment

blanderson22 commented Dec 1, 2021

Describe the bug
SQL injection - The type parameter appears to be vulnerable to SQL injection attacks.

To Reproduce
Steps to reproduce the behavior:

Use the JBZoo Search list module
Click on a link to filter results in the search list module
On the search results page use a backslash and quotes in the type parameter to incorporate SQL syntax in the DB query.

Expected behavior
Use parameterized queries (prepared statements) for all database access.

My system (please complete the following information):

JBZoo 4.12.0
Joomla 3.10.3

Contributor

fiction13 commented Dec 1, 2021

Hello!

Thanks, we will check it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment