@saltcorn/server 1.6.0-alpha.16

Direct Vulnerabilities

Known vulnerabilities in the @saltcorn/server package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Open Redirect @saltcorn/server is a Server app for Saltcorn, open-source no-code platform Affected versions of this package are vulnerable to Open Redirect via the `is_relative_url` function. An attacker can redirect users to an external, attacker-controlled domain by crafting a malicious URL that exploits improper validation of the `dest` parameter in the login. Note: This can be achieved by tricking a user into clicking a specially crafted login link, leading to potential credential phishing or other social engineering attacks. How to fix Open Redirect? Upgrade `@saltcorn/server` to version 1.4.6, 1.5.6, 1.6.0-beta.5 or higher.	<1.4.6>=1.5.0-beta.0 <1.5.6>=1.6.0-alpha.0 <1.6.0-beta.5
H SQL Injection @saltcorn/server is a Server app for Saltcorn, open-source no-code platform Affected versions of this package are vulnerable to SQL Injection via the `getSyncRows` and `getDelRows` functions. An attacker can execute arbitrary SQL commands, exfiltrate sensitive data, modify or delete database contents, and escalate privileges by submitting crafted input to the affected endpoints. How to fix SQL Injection? Upgrade `@saltcorn/server` to version 1.4.6, 1.5.6, 1.6.0-beta.5 or higher.	<1.4.6>=1.5.0-beta.0 <1.5.6>=1.6.0-alpha.0 <1.6.0-beta.5
H SQL Injection @saltcorn/server is a Server app for Saltcorn, open-source no-code platform Affected versions of this package are vulnerable to SQL Injection via the `Literal` function. An attacker can execute arbitrary SQL commands, manipulate database schema, or exfiltrate data by injecting crafted input into formula-type table constraints, which are converted to SQL without proper escaping. How to fix SQL Injection? Upgrade `@saltcorn/server` to version 1.4.4, 1.5.2, 1.6.0-beta.1 or higher.	<1.4.4>=1.5.0-beta.0 <1.5.2>=1.6.0-alpha.0 <1.6.0-beta.1
C Directory Traversal @saltcorn/server is a Server app for Saltcorn, open-source no-code platform Affected versions of this package are vulnerable to Directory Traversal via the `POST /sync/offline_changes` and `GET /sync/upload_finished` endpoints, which improperly handle user-supplied input in path construction. An attacker can create arbitrary directories, write attacker-controlled JSON files, and list or read files from arbitrary directories by supplying crafted values to the `newSyncTimestamp` or `dir_name` parameters. How to fix Directory Traversal? Upgrade `@saltcorn/server` to version 1.4.5, 1.5.3, 1.6.0-beta.4 or higher.	<1.4.5>=1.5.0-beta.0 <1.5.3>=1.6.0-alpha.0 <1.6.0-beta.4

Vulnerability

Vulnerable Version

Open Redirect

@saltcorn/server is a Server app for Saltcorn, open-source no-code platform

Affected versions of this package are vulnerable to Open Redirect via the is_relative_url function. An attacker can redirect users to an external, attacker-controlled domain by crafting a malicious URL that exploits improper validation of the dest parameter in the login.

Note: This can be achieved by tricking a user into clicking a specially crafted login link, leading to potential credential phishing or other social engineering attacks.

How to fix Open Redirect?

Upgrade @saltcorn/server to version 1.4.6, 1.5.6, 1.6.0-beta.5 or higher.

<1.4.6>=1.5.0-beta.0 <1.5.6>=1.6.0-alpha.0 <1.6.0-beta.5

SQL Injection

@saltcorn/server is a Server app for Saltcorn, open-source no-code platform

Affected versions of this package are vulnerable to SQL Injection via the getSyncRows and getDelRows functions. An attacker can execute arbitrary SQL commands, exfiltrate sensitive data, modify or delete database contents, and escalate privileges by submitting crafted input to the affected endpoints.

How to fix SQL Injection?

Upgrade @saltcorn/server to version 1.4.6, 1.5.6, 1.6.0-beta.5 or higher.

<1.4.6>=1.5.0-beta.0 <1.5.6>=1.6.0-alpha.0 <1.6.0-beta.5

SQL Injection

@saltcorn/server is a Server app for Saltcorn, open-source no-code platform

Affected versions of this package are vulnerable to SQL Injection via the Literal function. An attacker can execute arbitrary SQL commands, manipulate database schema, or exfiltrate data by injecting crafted input into formula-type table constraints, which are converted to SQL without proper escaping.

How to fix SQL Injection?

Upgrade @saltcorn/server to version 1.4.4, 1.5.2, 1.6.0-beta.1 or higher.

<1.4.4>=1.5.0-beta.0 <1.5.2>=1.6.0-alpha.0 <1.6.0-beta.1

Directory Traversal

@saltcorn/server is a Server app for Saltcorn, open-source no-code platform

Affected versions of this package are vulnerable to Directory Traversal via the POST /sync/offline_changes and GET /sync/upload_finished endpoints, which improperly handle user-supplied input in path construction. An attacker can create arbitrary directories, write attacker-controlled JSON files, and list or read files from arbitrary directories by supplying crafted values to the newSyncTimestamp or dir_name parameters.

How to fix Directory Traversal?

Upgrade @saltcorn/server to version 1.4.5, 1.5.3, 1.6.0-beta.4 or higher.

<1.4.5>=1.5.0-beta.0 <1.5.3>=1.6.0-alpha.0 <1.6.0-beta.4

@saltcorn/server@1.6.0-alpha.16

Server app for Saltcorn, open-source no-code platform

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically