CVE-2020-35666

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-35666

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-35666.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-35666

Published

2020-12-23T20:15:12.927Z

Modified

2025-11-14T11:04:06.888356Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Steedos Platform through 1.21.24 allows NoSQL injection because the /api/collection/findone implementation in server/packages/steedos_base.js mishandles req.body validation, as demonstrated by MongoDB operator attacks such as an X-User-Id[$ne]=1 value.

References

https://github.com/steedos/steedos-platform/issues/1245

Affected packages

Git / github.com/steedos/steedos-platform

Affected ranges

Type: GIT
Repo: https://github.com/steedos/steedos-platform
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

8ee3b5f6179be4eb564c802730fdae428fe6af39

Affected versions

v.*

v.1.6.1

v1.*

v1.10.0

v1.10.1

v1.10.4

v1.10.5

v1.11.0

v1.12.0

v1.12.1

v1.12.4

v1.12.6

v1.13.0

v1.13.1

v1.13.4

v1.14.0

v1.14.2

v1.14.5

v1.15.0

v1.15.3

v1.15.4

v1.15.5

v1.16.0

v1.16.1

v1.16.3

v1.16.4

v1.16.5

v1.17.0

v1.17.1

v1.18.0

v1.18.1

v1.18.10

v1.18.11

v1.18.12

v1.18.13

v1.18.14

v1.18.15

v1.18.2

v1.18.3

v1.18.4

v1.18.5

v1.18.6

v1.18.8

v1.18.9

v1.19.0

v1.19.1

v1.19.2

v1.19.3

v1.19.5

v1.19.6

v1.19.7

v1.19.8

v1.19.9

v1.20.0

v1.20.10

v1.20.11

v1.20.12

v1.20.13

v1.20.14

v1.20.15

v1.20.4

v1.20.7

v1.20.8

v1.20.9

v1.21.0

v1.21.0-alpha.0

v1.21.0-alpha.1

v1.21.0-alpha.2

v1.21.0-alpha.3

v1.21.0-alpha.4

v1.21.0-alpha.5

v1.21.0-alpha.6

v1.21.1

v1.21.10

v1.21.11

v1.21.12

v1.21.13

v1.21.14

v1.21.15

v1.21.16

v1.21.17

v1.21.18

v1.21.19

v1.21.2

v1.21.20

v1.21.21

v1.21.22

v1.21.23

v1.21.24

v1.21.3

v1.21.4

v1.21.5

v1.21.6

v1.21.8

v1.21.9

v1.5.1

v1.5.1-patch.1

v1.5.3

v1.5.4

v1.5.5

v1.5.6

v1.5.7

v1.5.8

v1.6.0

v1.6.0-alpha.0

v1.6.0-alpha.1

v1.6.0-alpha.2

v1.6.0-alpha.3

v1.6.0-alpha.4

v1.6.10

v1.6.11

v1.6.12

v1.6.2

v1.6.4

v1.6.6

v1.6.7

v1.6.8

v1.6.9

v1.7.0

v1.7.5

v1.8.0

v1.8.1

v1.8.2

v1.9.0

v1.9.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-35666.json"