A vulnerability was found in happyman twmap. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file twmap3/data/ajaxCRUD/pointdata2.php. The manipulation of the argument id leads to sql injection. Upgrading to version v2.9_v4.31 is able to address this issue. The identifier of the patch is babbec79b3fa4efb3bd581ea68af0528d11bba0c. It is recommended to upgrade the affected component. The identifier VDB-217645 was assigned to this vulnerability.
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
| Link | Tags |
|---|---|
| https://vuldb.com/?id.217645 | third party advisory vdb entry technical description |
| https://vuldb.com/?ctiid.217645 | signature third party advisory permissions required |
| https://github.com/happyman/twmap/issues/42 | third party advisory issue tracking |
| https://github.com/happyman/twmap/commit/babbec79b3fa4efb3bd581ea68af0528d11bba0c | patch |
| https://github.com/happyman/twmap/releases/tag/v2.9_v4.31 | patch release notes |