CVE-2023-4974

Name of the Vulnerable Software and Affected Versions Academy LMS version 6.2

Description A critical issue affects some unknown functionality of the file /academy/tutor/filter of the component GET Parameter Handler. The manipulation of the arguments price min and price max leads to SQL injection. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond.

Recommendations For Academy LMS version 6.2, as a temporary workaround, consider restricting access to the /academy/tutor/filter API endpoint until a patch is available. Avoid using the parameters price min and price max in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.