Ambassador - Some SQL Statements are vulnerable to injections
There are SQL queries in AbstractFeatureCache that uses direct String concatenation to build SQL queries instead of proper parameters bindings.
Issue found in methods:
- getMaxObjectId
- getTransformerLoadStatus
- removeFeatures
It looks like these methods are only called from the Cron Scheduled jobs, so the likelihoods of using this for a public attack are quite low, but this should be fixed as an administrator could still make an error in the configuration files.