Magento 2.1.x < 2.1.17 / 2.2.x < 2.2.8 / 2.3.x < 2.3.1 SQL Injection
High Web Application Scanning Plugin ID 98531
SynopsisMagento 2.1.x < 2.1.17 / 2.2.x < 2.2.8 / 2.3.x < 2.3.1 SQL Injection
DescriptionThe Magento application running on the remote web server is affected by a SQL injection vulnerability due to failing to properly sanitize the user-supplied 'from' and 'to' inputs to the 'prepareSqlCondition' function of the '\Magento\Framework\DB\Adapter\Pdo\Mysql' class. An unauthenticated, remote attacker can exploit this to execute arbitrary SQL statements against the back-end database, leading to the execution of arbitrary code, manipulation of data, or disclosure of sensitive information.
Note: This has been detected using an active check and should be remediated immediately.
SolutionApply the appropriate patch according to the vendor advisory.