CVE-2020-35666

Name of the Vulnerable Software and Affected Versions Steedos Platform versions prior to 1.21.25

Description The issue concerns a NoSQL injection vulnerability. It arises from the mishandling of req.body validation in the /api/collection/findone implementation within server/packages/steedos base.js. This can be exploited through MongoDB operator attacks, such as setting the X-User-Id[$ne]=1 value.

Recommendations For Steedos Platform versions prior to 1.21.25, as a temporary workaround, consider disabling the /api/collection/findone API endpoint until a patch is available. Restrict access to the req.body validation in server/packages/steedos base.js to minimize the risk of exploitation. Avoid using the X-User-Id variable in the affected API endpoint until the issue is resolved.