Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
EverShop has a Second-Order SQL Injection in URL Rewrite Processing Derived from Category URL Keys
Vulnerability Description
EverShop is a TypeScript-first eCommerce platform. During category update and deletion event handling, the application embeds path / request_path values—derived from the url_key stored in the database—into SQL statements via string concatenation and passes them to execute(). As a result, if a malicious string is stored in url_key , subsequent event processing modifies and executes the SQL statement, leading to a second-order SQL injection. Patched from v2.1.1.
CVSS Information
N/A
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Vulnerability Title
EverShop SQL注入漏洞
Vulnerability Description
EverShop是EverShop开源的一个 NodeJS 电商平台。 EverShop 2.1.1之前版本存在SQL注入漏洞,该漏洞源于在处理类别更新和删除事件时,通过字符串拼接将url_key值嵌入SQL语句,可能导致二阶SQL注入攻击。
CVSS Information
N/A
Vulnerability Type
N/A