A SQL injection vulnerability has been identified in Mambo versions <= 4.6RC1. Meaning that current production version 4.5.4 as well as recent versions 4.5.3h, 4.5.3, and 4.5.2.3 are at risk. The quickest way to plug this hole is to open /components/com_weblinks/weblinks.php and add the following two lines at line 250.

 $row->title = $database->getEscaped($row->title);



$row->catid = $database->getEscaped($row->catid);

We recommend you patch this as soon as possible. For those not comfortable with editing the files manually, security patches are now available for download on the Mamboxchange site.