Affected versions:
- Apache VCL 2.2 through 2.5.1
Description:
Improper Neutralization of Special Elements used in an SQL Command ('SQL
Injection') vulnerability in Apache VCL. Users can modify form data submitted
when requesting a new Block Allocation such that a SELECT SQL statement is
modified. The data returned by the SELECT statement is not viewable by the
attacker.
This issue affects all versions of Apache VCL from 2.2 through 2.5.1.
Users are recommended to upgrade to version 2.5.2, which fixes the issue.
Credit:
Chiencp and Nothing from TeamTonTac (finder)
References:
https://vcl.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-53678
