CVE-2014-1634 Sql Injection Advanced Newsletter Magento Extension

A remote unauthenticated attacker is able to execute arbitrary SQL commands via the the REST url parameter an_category_id in /advancednewsletter/index/subscribeajax/an_category_id/

Vulnerable Versions

Confirmed on version 2.3.4

Solution

Upgrade to version 2.3.5

Vulnerability Timeline

22 Jan 2014 – Vulnerability reported to vendor

23 Jan 2014 – Vendor requested more details

24 Jan 2014 – Vendor acknowledged vulnerability and released new version

March Of The Bits

My infosec posts.

CVE-2014-1634 Sql Injection Advanced Newsletter Magento Extension