Security Bulletin. Vulnerability found in Email Marketer v6.0.0 through v6.5.1

Interspire Email Marketer version 6.0.0 up to and including 6.5.1 allows SQL injection in the Surveys module. If the survey id exists, an unauthenticated attacker could exploit this to extract potentially sensitive information from the database.

We recommend that all users of Email Marketer immediately take one of the following corrective actions.

If you are not using the survey functionality of Email Marketer:

  • Disable the survey add on from the addon management screen:
Disable the Surveys Addon
  • Backup and delete the file ~/surveys.php

Or

If you are using the survey functionality of Email Marketer:

  • Download the updated version surveys.php
  • Backup and delete the file ~/surveys.php
  • Unzip the updated version of surveys.php in your installation directory

Or

Update to the latest version of Email Marketer:

If you have an active download link, get and update to the latest version of Email Marketer which at the time of this writing is version 6.5.2.

The CVE number is CVE-2022-44790. Discovered by Tungbx of VPS Securities.