SS-2014-004: SQL injection in SiteTree with custom URLSegmentFilter rules
- Low (?)
- Versions Affected:
- 3.1.3, 3.0.9, and all versions before
- Versions Fixed:
- 3.1.4, 3.0.10
- Release Date:
When a developer removes the default URLSegmentFilter rule, the CMS backend is vulnerable to SQL Injection, as apostrophes are not removed.
The change will make sure the URL is always escaped, regardless of the URL filters.
Thanks to Simon Welsh for reporting and submitting a patch.