3 matches found
GHSA-PWQG-Q8PG-PP6R Daptin fuzzy search injects unvalidated column name into raw SQL
Summary processFuzzySearch in server/resource/resourcefindallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.Lfmt.Sprintf"LOWER%s LIKE ?", prefix+col raw SQL with no column whitelist check. The entry point is GET /api/ with...
GHSA-RW2C-8RFQ-GWFV Daptin: SQL injection via unvalidated goqu.L() calls in aggregate API
Summary The /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L — a raw SQL literal expression builder — without any validation. This bypassed all parameterization and allowed authenticated users with any valid session to inject arbitrary S...
Daptin: SQL injection via unvalidated goqu.L() calls in aggregate API
Summary The /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L — a raw SQL literal expression builder — without any validation. This bypassed all parameterization and allowed authenticated users with any valid session to inject arbitrary S...