SQL inyection in Umami Software application

SQL inyection (SQLi) vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the 'timezone' request parameter by including malicious characters and SQL payload. The application would interpolate these values directly into the SQL query without first performing proper filtering or sanitization (e.g., using functions such as 'prisma.rawQuery', 'prisma.$queryRawUnsafe' or raw queries with 'ClickHouse'). The successful explotation of this vulnerability could allow an authenticated attacker to compromiso the data of the database and execute dangerous functions.

N/A

SQL命令中使用的特殊元素转义处理不恰当(SQL注入)

Umami SQL注入漏洞

Umami是Umami公司的一个提供网站访问统计与用户行为分析功能的轻量级分析平台。 Umami存在SQL注入漏洞，该漏洞源于timezone请求参数清理不当，可能导致SQL注入攻击。

N/A

N/A