CVE-2020-24617

2021-02-1923:15:12

Google

osv.dev

8.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

40.8%

JSON

Mailtrain through 1.24.1 allows SQL Injection in statsClickedSubscribersByColumn in lib/models/campaigns.js via /campaigns/clicked/ajax because variable column names are not properly escaped.

CPENameOperatorVersion
mailtraineq1.8.2
mailtraineq1.3.0
mailtraineq1.8.1
mailtraineq1.11.0
mailtraineq1.23.1
mailtraineq1.24.0
mailtraineq1.0.0
mailtraineq1.20.0
mailtraineq1.21.0
mailtraineq1.13.0

Name	Operator	Version
mailtrain	eq	1.8.2
mailtrain	eq	1.3.0
mailtrain	eq	1.8.1
mailtrain	eq	1.11.0
mailtrain	eq	1.23.1
mailtrain	eq	1.24.0
mailtrain	eq	1.0.0
mailtrain	eq	1.20.0
mailtrain	eq	1.21.0
mailtrain	eq	1.13.0