CVE-2023-51828

Name of the Vulnerable Software and Affected Versions PMB versions 7.4.7 and earlier

Description A SQL Injection issue in the /admin/convert/export.class.php file allows remote unauthenticated attackers to execute arbitrary SQL commands via the query parameter in the get next notice function.

Recommendations For PMB versions 7.4.7 and earlier, as a temporary workaround, consider restricting access to the /admin/convert/export.class.php file and the get next notice function until a patch is available. Avoid using the query parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.