Summary

Acunetix 360 detected that the application is vulnerable to a MongoDB operator injection. MongoDB injections occur when applications don't sanitize user input, which is then interpreted by a MongoDB database.

Impact

Depending on the backend database version, an attacker can perform one of the following types of attacks successfully:

  • Reading, updating or deleting arbitrary data from the database
  • Collect sensitive information about the backend server configuration

Remediation

To avoid this vulnerability;

  • Sanitize user-supplied input and strictly check its type
  • Use most recent version of MongoDB.

Severity

High

Classification

PCI v3.2-6.5.1 CWE-943 OWASP 2013-A1 OWASP 2017-A1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L