CVE-2020-35666
HIGHSteedos Platform < 1.21.24 - NoSQL Injection via X-User-Id Parameter
Title source: llmDescription
Steedos Platform through 1.21.24 allows NoSQL injection because the /api/collection/findone implementation in server/packages/steedos_base.js mishandles req.body validation, as demonstrated by MongoDB operator attacks such as an X-User-Id[$ne]=1 value.
References (1)
Core 1
Core References
Exploit, Vendor Advisory x_refsource_misc
https://github.com/steedos/steedos-platform/issues/1245
Scores
CVSS v3
8.8
EPSS
0.0107
EPSS Percentile
61.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
steedos/steedos
< 1.21.24
Published
Dec 23, 2020
Tracked Since
Feb 18, 2026