Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Parse Server has a SQL injection via dot-notation field name in PostgreSQL
Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with the distinct and where query parameters. This vulnerability only affects deployments using a PostgreSQL database. This vulnerability is fixed in 9.6.0-alpha.2 and 8.6.28.
CVSS Information
N/A
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Vulnerability Title
Parse Server SQL注入漏洞
Vulnerability Description
Parse Server是Parse Platform开源的一个开源后端,可以部署到任何可以运行 Node.js 的基础设施。 Parse Server 9.6.0-alpha.2之前版本和8.6.28之前版本存在SQL注入漏洞,该漏洞源于攻击者可将点表示法字段名与排序查询参数结合使用,通过点表示法查询中子字段值的转义不当将SQL注入PostgreSQL数据库,可能导致SQL注入攻击。
CVSS Information
N/A
Vulnerability Type
N/A