[原文]Multiple SQL injection vulnerabilities in Invision Blog before 1.1.2 Final allow remote attackers to execute arbitrary SQL commands via the (1) eid parameter to an editentry, replyentry, or editcomment action, or (2) the mid parameter to an aboutme action.
Invision Community Blog Module multiple Parameter SQL Injection
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
Invision Community Blog contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to improper input validation of the "mid" parameter to index.php function and allows an attacker to inject or manipulate SQL queries.
Upgrade to version 1.1.2 Final or higher, as it has been reported to fix this vulnerability.