CVE-2020-21176
CRITICALThinkJS 3.2.10 - SQL Injection via model.increment and model.decrement step parameter
Title source: llmDescription
SQL injection vulnerability in the model.increment and model.decrement function in ThinkJS 3.2.10 allows remote attackers to execute arbitrary SQL commands via the step parameter.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://blog.jiguang.xyz/posts/thinkjs-sql-injection/
Scores
CVSS v3
9.8
EPSS
0.0149
EPSS Percentile
71.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (2)
npm/thinkjs
0npm
thinkjs/thinkjs
3.2.10
Published
Feb 01, 2021
Tracked Since
Feb 18, 2026