[原文]Multiple SQL injection vulnerabilities in ReviewPost PHP Pro before 2.84 allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter to showcat.php or (2) product parameter to addfav.php.
ReviewPost PHP Pro showcat.php cat Parameter SQL Injection
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
ReviewPost PHP Pro contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'cat' parameter in the 'showcat.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.
Upgrade to version 2.84 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.