SQL Injection Affecting loopback-connector-oracle package, versions <1.5.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about SQL Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDnpm:loopback-connector-oracle:20150108
  • published4 Jan 2017
  • disclosed7 Jan 2015
  • creditRaymond Feng

Introduced: 7 Jan 2015

CVE NOT AVAILABLE CWE-89  (opens in a new tab)

How to fix?

Upgrade loopback-connector-oracle to version 1.5.0 or higher.

Overview

loopback-connector-oracle is Loopback Oracle Connector. Affected versions of the package are vulnerable to SQL injection attacks. User-supplied inputs are not properly sanitized before using it in SQL queries. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

CVSS Scores

version 3.1