U4-6810 - Need to parameterize SQL query in NewRelationType.aspx.cs

Created by Shannon Deminick 09 Jul 2015, 09:43:27 Updated by Sebastiaan Janssen 31 Oct 2017, 08:59:04

Because the SQL is not parameterized, an authenticated back office user could attempt to expoit Umbraco with SQL Injection. The risk of this is very low since it requires an authenticated administrator in the back office to attempt to submit SQL injection data.

Comments

Sebastiaan Janssen 31 Oct 2017, 08:59:04

This was fixed in v7.3 - https://github.com/umbraco/Umbraco-CMS/commit/2d5e5e9b3c7961b99133be547475cc4e387c4e2a#diff-0bb7a3995356aa3d46dcd460e92f03ea


Priority: Normal

Type: Bug

State: Fixed

Assignee:

Difficulty: Normal

Category: Security

Backwards Compatible: True

Fix Submitted:

Affected versions: 6.0.0, 6.1.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.1.1, 6.0.6, 6.0.5, 6.0.7, 6.1.2, 6.2.0, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5

Due in version: 7.3.0

Sprint:

Story Points:

Cycle: