It has been reported that Top Site List may be prone to an SQL injection vulnerability that may allow remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks. The issue exists due to insufficient sanitizing of the 'id' URI parameter when using the 'comments' feature in 'index.php' script.
Invision Power Top Site List versions 1.1 RC 2 and prior are reported prone to this issue.
Invision Power Top Site List index.php id Parameter SQL Injection
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
Invision Power Top Site List contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.