漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Sort order SQL injection in Administrate
Vulnerability Description
In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the `direction` parameter and bypass ActiveRecord SQL protections. Whilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which we would expect to be behind authentication. This is patched in wersion 0.13.0.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Vulnerability Type
数据查询逻辑中特殊元素的不当中和
Vulnerability Title
Administrate SQL注入漏洞
Vulnerability Description
Administrate (rubygem) 0.13.0之前版本中存在SQL注入漏洞,该漏洞源于在将‘direction’参数内容注入到SQL查询语句之前,程序没有对其进行验证。攻击者可利用该漏洞查看、添加、修改或删除后端数据库中的信息。
CVSS Information
N/A
Vulnerability Type
N/A