GHSA-584P-RPVQ-35VF AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables
Summary The fixCleanTitle static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $cleantitle and $id into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a craft...