Impact

Vulnerable versions: 5.2 build 1168 to 5.5 build 2163

SQL Injection allows a malicious actor to read any data from the database and change or delete data. This may expose user salted+hashed Plan web user passwords or other data in the database.

if login is enabled: Malicious users with access to /players-page can access an endpoint which was found to contain an SQL Injection vulnerability.
if login is not enabled: Any malicious actor can access an endpoint which was found to contain an SQL Injection vulnerability.

Patches

Fixed in 5.5 build 2172 https://github.com/plan-player-analytics/Plan/releases/tag/5.5.2172

A backport fix for version 5.4 build 1722 can be found here for those still running Java 8 or Sponge 7 https://github.com/plan-player-analytics/Plan/releases/tag/5.4.1722.1

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Mitigation options if you are unable to update

1. Enable https and login so that less users have access to the vulnerable endpoint.
   https://github.com/plan-player-analytics/Plan/wiki/SSL-Certificate-(HTTPS)-Set-Up
2. Enable IP Whitelist so that less users have access to the vulnerable endpoint.

Webserver:
  Security:
    IP_whitelist:
      Enabled: true

3. if unable to update or secure the server, disable Plan Webserver. This option is good if you want to delay updating to a more convenient time.

Webserver:
  Disable_webserver: true