doctrine/dbal is vulnerable to SQL injection. The modifyLimitQuery
function in src/Platforms/AbstractPlatform.php
does not properly sanitize the input, which allows a remote attacker to inject arbitrary SQL commands to the APIs.
CPE | Name | Operator | Version |
---|---|---|---|
doctrine/dbal | le | 3.1.3 | |
doctrine/dbal | le | 3.1.3 |
github.com/doctrine/dbal/commit/483a518de57f39b3843ba53954f1bbb2fa151934
github.com/doctrine/dbal/commit/9dcfa4cb6c03250b78a84737ba7ceb82f4b7ba4d
github.com/doctrine/dbal/pull/4984
github.com/doctrine/dbal/releases
github.com/doctrine/dbal/security/advisories/GHSA-r7cj-8hjg-x622
www.doctrine-project.org/2021/11/11/dbal3-vulnerability-fixed.html