NoSQL Injection Vulnerability in Steedos Platform (CVE-2021-XXXX)

NoSQL Injection Vulnerability in Steedos Platform (CVE-2021-XXXX)

CVE-2020-35666 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Steedos Platform through 1.21.24 allows NoSQL injection because the /api/collection/findone implementation in server/packages/steedos_base.js mishandles req.body validation, as demonstrated by MongoDB operator attacks such as an X-User-Id[$ne]=1 value.

Learn more about our Cis Benchmark Audit For Microsoft Sql Server.