CVE-2019-14231

Name of the Vulnerable Software and Affected Versions Viral Quiz Maker - OnionBuzz plugin versions prior to 1.2.2

Description An issue in the Viral Quiz Maker - OnionBuzz plugin allows an unauthenticated user to perform a SQL injection attack. This is due to the lack of sanitization of the points parameter in the ob get results AJAX handler, which is used in the getResultByPointsTrivia function. This enables remote code execution and information disclosure.

Recommendations For versions prior to 1.2.2, update to version 1.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the ob get results AJAX handler to minimize the risk of exploitation. Avoid using the points parameter in the affected AJAX endpoint until the issue is resolved.