| Vector: | Remote |
| Severity: | Medium |
| Patch: | Patched |
| Impact: | Data Manipulation |
| Software: | miniBB 3.x , vulnerable versions: <3.1 released on 2014-11-27 |
SQL inection vulnerability was reported in miniBB.
Vulnerability is caused by an input validation error while processing the code parameter in bb_func_unsub.php, when "action" is set to "unsubscribe". A remote attacker can send a specially crafted request to the vulnerable application and execute arbitrary SQL commands in application`s database.
Further exploitation of this vulnerability may result in unauthorized data manipulation.
Solution:
For miniBB 3.x: Update to version 3.1 released on 2014-11-27.
Links:
- http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html
- http://security.szurek.pl/minibb-31-blind-sql-injection.html
