[原文]SQL injection vulnerability in the getwbbuserdata function in session.php for Woltlab Burning Board 2.0.3 through 2.3.0 allows remote attackers to execute arbitrary SQL commands via the (1) userid or (2) lastvisit cookie.
Woltlab contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the wbb_userid and lastvisit variables in the session.php module are not verified properly and will allow an attacker to inject or manipulate SQL queries.
Currently, there are no known workarounds or upgrades to correct this issue. However, vendor has released patches for 2.0.3, 2.1.5, 2.2.1, and 2.3.0 to address this vulnerability.