CVE-2022-4871

Name of the Vulnerable Software and Affected Versions nflpick-em.com versions up to 2.2.x

Description A problematic vulnerability was found in nflpick-em.com, affecting the Load Users function of the file html/includes/runtime/admin/JSON/LoadUsers.php. The manipulation of the sort argument leads to SQL injection. The attack can be initiated remotely. Note that the JSON entrypoint is only accessible via an admin account.

Recommendations To fix this issue, apply a patch to nflpick-em.com versions up to 2.2.x. As a temporary workaround, consider restricting access to the LoadUsers.php file or disabling the Load Users function until a patch is available. Additionally, avoid using the sort argument in the affected JSON endpoint until the issue is resolved.