A PCI scan on my site is saying that there is a SQL Injection vulnerability. But where it seems to be indicating it is on pretty basic Commerce functionality. When visiting a product variation page directly, it appends v=nn
to the URL to show the selected variation.
This scan is suggesting that URLs like:
?v=54+or+5459%3D5459&page=1 ?v=54+or+6721%3D8812&page=1
… return TRUE and FALSE, respectively (return where, I’m not really sure).
This is all pretty default behavior of Drupal Commerce if I’m not mistaken. Is it possible that this is a false positive from this PCI scan?
I know I haven’t added any custom queries to this site. Other than theming, it’s pretty out-of-the-box behavior. And I don’t think I’m using the v= parameter directly in any of my theming.
I’m sorry this is vague and general, but looking for some more information on how to address this PCI result.
Thanks in advance!