HTB23152: b2evolution SQL Injection

b2evolution v4.1.6 suffers from SQL Injection [CWE-89] weakness due to insufficient validation of HTTP GET parameter "show_statuses" in "blogs/admin.php" script.

This vulnerability was exploitable via CSRF vector, but were fixed by vendor in version: b2evolution 4.1.7

Source: High-Tech Bridge Advisory HTB23152.