CVE-2025-0698

Name of the Vulnerable Software and Affected Versions JoeyBling bootplus versions up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d

Description A critical issue has been found, allowing for remote SQL injection. The manipulation of the sort/order argument in an unknown function of the file /admin/sys/menu/list leads to this issue. The exploit has been disclosed publicly and can be used remotely.

Recommendations As a temporary workaround, consider restricting access to the /admin/sys/menu/list endpoint until a fix is available. Avoid using the sort/order argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.