Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Hi.Events: SQL Injection via Unvalidated sort_by Query Parameter in Multiple Repository Classes
Vulnerability Description
Hi.Events is an open-source event management and ticket selling platform. From version 0.8.0-beta.1 to before version 1.7.1-beta, multiple repository classes pass the user-supplied sort_by query parameter directly to Eloquent's orderBy() without validation, enabling SQL injection. The application uses PostgreSQL which supports stacked queries. This issue has been patched in version 1.7.1-beta.
CVSS Information
N/A
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Vulnerability Title
Hi.Events SQL注入漏洞
Vulnerability Description
Hi.Events是Hi.Events开源的一个活动票务与管理平台。 Hi.Events 0.8.0-beta.1至1.7.1-beta之前版本存在SQL注入漏洞,该漏洞源于多个存储库类将用户提供的sort_by查询参数直接传递给Eloquent的orderBy()而未经验证,可能导致SQL注入。
CVSS Information
N/A
Vulnerability Type
N/A