CVE-2020-35666

HIGH

Steedos Platform < 1.21.24 - NoSQL Injection via X-User-Id Parameter

Title source: llm
STIX 2.1

Description

Steedos Platform through 1.21.24 allows NoSQL injection because the /api/collection/findone implementation in server/packages/steedos_base.js mishandles req.body validation, as demonstrated by MongoDB operator attacks such as an X-User-Id[$ne]=1 value.

References (1)

Core 1
Core References
Exploit, Vendor Advisory x_refsource_misc
https://github.com/steedos/steedos-platform/issues/1245

Scores

CVSS v3 8.8
EPSS 0.0107
EPSS Percentile 61.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
steedos/steedos < 1.21.24
Published Dec 23, 2020
Tracked Since Feb 18, 2026