SQL Injection
Affecting pouchdb package, versions <1.1.0
Do your applications use this vulnerable package?
Test your applications
Overview
pouchdb
is PouchDB is a pocket-sized database.
Affected versions of the package are vulnerable to SQL Injection due to not properly escaping the startkey/endkey in the allDocs() function.
You can read more about SQL Injection
on our blog.
Remediation
Upgrade pouchdb
to version 1.1.0 or higher.
References
CVSS Score
6.5
medium severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityLow
-
AvailabilityNone
- Credit
- Nolan Lawson
- CWE
- CWE-89
- Snyk ID
- npm:pouchdb:20131221
- Disclosed
- 20 Dec, 2013
- Published
- 13 Mar, 2017