Description
Arches is a web platform for creating, managing, & visualizing geospatial data. Versions prior to 6.1.2, 6.2.1, and 7.1.2 are vulnerable to SQL Injection. With a carefully crafted web request, it's possible to execute certain unwanted sql statements against the database. This issue is fixed in version 7.12, 6.2.1, and 6.1.2. Users are recommended to upgrade as soon as possible. There are no workarounds.
References (1)
Core 1
Core References
Patch, Third Party Advisory
https://github.com/archesproject/arches/security/advisories/GHSA-gmpq-xrxj-xh8m
Scores
CVSS v3
8.6
EPSS
0.0055
EPSS Percentile
42.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (6)
archesproject/arches
6.2.0
archesproject/arches
7.0.0
archesproject/arches
7.1.0
archesproject/arches
7.1.1
archesproject/arches
< 6.1.1
pypi/arches
0 - 6.1.2PyPI
Published
Nov 11, 2022
Tracked Since
Feb 18, 2026