This issue has been addressed by redesigning the affected function. All Bento4 users are advised to upgrade to Bento4 1.6.0-1132 as soon as possible.
Mantis #11096 - Bento4: SQL injection in image details
When you click on the image details, you may be redirected to the image detail page where you may be vulnerable to a SQL injection.
In Bento4 1.5.0-1115, there was a bad URL in the component AP4_HdlrVodImage::GetHdlrVodImage() that can be exploited to inject malicious code.
Mantis #11098 - Bento4: SQL injection in event details
When you click on the event details, you may be redirected to the event detail page where you may be vulnerable to a SQL injection.
Fix ing the problem
Bento4 1.5.0-1115 was released with a fix for this issue. You need to upgrade to Bento4 1.6.0-1132 as soon as possible to avoid this vulnerability.
SQL Injection in Component AP4_HdlrVodImage::GetHdlrVodImage()
The SQL injection vulnerability has been addressed by redesigning the affected function. All Bento4 users are advised to upgrade to Bento4 1.6.0-1132 as soon as possible.
Mantis #11096 - Bento4: SQL injection in image details
How to verify if your Bento4 is affected by this issue?
You can check the version of your Bento4 installation by clicking on Settings >> About.
Bento 4 1.5.0-1115, 1.6.0-1132 and above are not affected by this issue
Timeline
Published on: 10/19/2022 14:15:00 UTC
Last modified on: 10/21/2022 13:21:00 UTC