CVE-2020-35666

Steedos Platform through 1.21.24 allows NoSQL injection because the /api/collection/findone implementation in server/packages/steedos_base.js mishandles req.body validation, as demonstrated by MongoDB operator attacks such as an X-User-Id[$ne]=1 value.
References
Link Resource
https://github.com/steedos/steedos-platform/issues/1245 Exploit Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:steedos:steedos:*:*:*:*:*:*:*:*

Information

Published : 2020-12-23 08:15

Updated : 2020-12-23 08:29


NVD link : CVE-2020-35666

Mitre link : CVE-2020-35666

Products Affected
No products.
CWE