SQL Injection

wwbn/avideo is vulnerable to a SQL Injection. The vulnerability is due to direct interpolation of user-controlled input into SQL queries without parameterization in the fixCleanTitle method, which allows an attacker to inject and execute arbitrary SQL commands...

AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables

Summary The fixCleanTitle static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $cleantitle and $id into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a craft...