SQL Injection due to unescaped object keys

Module: mysql

Published: December 28th, 2015

Reported by: S├ębastian Dejonghe

CVE-NONE

CWE-

Vulnerable: <=v2.0.0-alpha7
Patched: >=v2.0.0-alpha8

Overview

Keys of objects are not escaped with mysql.escape() which could lead to SQL Injection.

Remediation

Update to the latest version of the mysql module. At least version v2.0.0-alpha8 or greater to address this issue.

References

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo