MaxWebPortal Personal Messages SendTo Parameter SQL Injection
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
MaxWebPortal contains a flaw that will allow an attacker to inject arbitrary SQL code or conduct cross-site scripting attacks. The problem is that the "SendTo" variable in the Personal Messages module is not verified properly and will allow an attacker to inject or manipulate SQL queries.
Upgrade to version 1.320 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.