CVE-2023-46358

Name of the Vulnerable Software and Affected Versions Referral and Affiliation Program (referralbyphone) versions 3.5.1 and earlier

Description The issue allows a guest to perform SQL injection. The method ReferralByPhoneDefaultModuleFrontController::ajaxProcessCartRuleValidate contains sensitive SQL calls that can be executed with a trivial HTTP call and exploited to forge a SQL injection.

Recommendations For versions 3.5.1 and earlier, consider disabling the ReferralByPhoneDefaultModuleFrontController::ajaxProcessCartRuleValidate method until a patch is available to prevent SQL injection exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.