Description

Node.js third-party module query-mysql versions 0.0.0, 0.0.1, and 0.0.2 are vulnerable to an SQL injection vulnerability due to lack of user input sanitization. This may allow an attacker to run arbitrary SQL queries when fetching data from database.

Remediation

References

https://hackerone.com/reports/311244

Related Vulnerabilities

CVE-2020-28268 Vulnerability in npm package controlled-merge

CVE-2022-31129 Vulnerability in maven package org.webjars.bower:momentjs

CVE-2023-6293 Vulnerability in npm package sequelize-typescript

CVE-2022-31160 Vulnerability in maven package org.webjars.bower:jquery-ui

CVE-2021-21292 Vulnerability in maven package org.traccar:traccar

Severity

Critical

Classification

CWE-89 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory