CVE-2014-1634

Name of the Vulnerable Software and Affected Versions Advanced Newsletter Magento extension versions prior to 2.3.5

Description The issue exists due to SQL Injection in the Advanced Newsletter Magento extension. This can be exploited via the "/store/advancednewsletter/index/subscribeajax/an category id/" PATH INFO.

Recommendations For versions prior to 2.3.5, update to version 2.3.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/store/advancednewsletter/index/subscribeajax/an category id/" endpoint until a patch is available.