CVE-2020-7981

Name of the Vulnerable Software and Affected Versions Geocoder versions prior to 1.6.1

Description The issue allows Boolean-based SQL injection when the within bounding box function is used with untrusted sw lat, sw lng, ne lat, or ne lng data. This can occur in the sql.rb file of the Geocoder software.

Recommendations For Geocoder versions prior to 1.6.1, update to version 1.6.1 or later to resolve the issue. As a temporary workaround, consider validating and sanitizing the sw lat, sw lng, ne lat, and ne lng parameters to prevent SQL injection attacks. Restrict access to the within bounding box function until the update is applied.