MantisBT: master-2.28 6ad20bea

Author Committer Branch Timestamp Parent
dregad dregad master-2.28 2026-05-17 12:05 master-2.28 e3571c31
Affected Issues  0037123: CVE-2026-47142: SQL Injection via `history_order` Configuration Value
Changeset

Fix SQL injection in history_query_result()

Sanitize $t_history_order variable so only ASC/DESC can be added to the
SQL query, defaulting to ASC (matching $g_history_order value in
config_defaults_inc.php).

Fixes 0037123, GHSA-mw6p-33vw-46cc

mod - core/history_api.php Diff File