$SQL Injection in Symphony: CVE-2013-2559

Description

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in Symphony, which can be exploited to alter SQL requests to database of the vulnerable application. The vulnerability exists due to insufficient filtration of "sort" HTTP GET parameter passed via "/symphony/system/authors/" URL to "/index.php" script.

Remediation

Upgrade to Symphony 2.3.2

References