漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
EverShop has a Second-Order SQL Injection in URL Rewrite Processing Derived from Category URL Keys
Vulnerability Description
EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application embeds path / request_path values—derived from the url_key stored in the database—into SQL statements via string concatenation and passes them to execute(). As a result, if a malicious string is stored in url_key , subsequent event processing modifies and executes the SQL statement, leading to a second-order SQL injection. Patched from v2.1.1.
CVSS Information
N/A
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Vulnerability Title
EverShop SQL注入漏洞
Vulnerability Description
EverShop是EverShop开源的一个 NodeJS 电商平台。 EverShop 2.1.1之前版本存在SQL注入漏洞,该漏洞源于在处理类别更新和删除事件时,通过字符串拼接将url_key值嵌入SQL语句,可能导致二阶SQL注入攻击。
CVSS Information
N/A
Vulnerability Type
N/A