Skip to content

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') and Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') and Improper Neutralization of Special Elements in Data Query Logic in api/routes/posts.js

High
vinsdragonis published GHSA-3pv7-25cc-mjvv Aug 19, 2022

Package

npm api/routes/posts.js (npm)

Affected versions

1.0.1

Patched versions

None

Description

Impact

If a database query (such as a SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.

Patches

Yet to be patched.

Workarounds

Most database connector libraries offer a way of safely embedding untrusted data into a query using query parameters or prepared statements.

For NoSQL queries, make use of an operator like MongoDB's $eq to ensure that untrusted data is interpreted as a literal value and not as a query object.

References

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2022-36030