CVE-2020-35666
HIGH WAF: High
CVSS 8.8
Published: 2020-12-23
CWE-89
Steedos Platform through 1.21.24 allows NoSQL injection because the /api/collection/findone implementation in server/packages/steedos_base.js mishandles req.body validation, as demonstrated by MongoDB operator attacks such as an X-User-Id[$ne]=1 value.
WAF Coverage Analysis
SQL Injection
High WAF Coverage
OWASP: A03:2021 Injection
942xxx - SQL Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| steedos | steedos | up to 1.21.24 |
References
- github.com (Exploit, Vendor Advisory)