Skip to content

[CRITICAL] Multiple Security Vulnerabilities Found (RCON Injection, SQLi) #1

Description

@groundmanage2022

Hi ZabboME Team,

During a thorough security audit of this API, I identified several critical vulnerabilities that put server owners at risk:

RCON Command Injection: Lack of input validation and direct command concatenation allows arbitrary RCON command execution.
SQL Injection: Multiple endpoints interact with the database without using prepared statements.
Cross-Site Scripting (XSS): Alert messages were not properly sanitized.
I have created a Hardened Core version of this API that resolves all these issues, implements strict regex validation, uses PDO prepared statements everywhere, and cleans up the codebase for production.

Fixed Version: groundmanage2022/ZabboAPI-Hardened-Core

I strongly recommend merging these fixes or recommending users switch to the hardened version to protect their servers.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions