PT-2024-36561 · Nette · Nette Database
Published
2024-12-10
·
Updated
2024-12-12
·
CVE-2024-55586
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Nette Database versions 3.2.4 and earlier
Description
The issue allows SQL injection in certain situations involving an untrusted filter that is directly passed to the
where method. This occurs when there's an untrusted filter sent straight to the where method. The vendor's position is that this is intended behavior.Recommendations
For versions 3.2.4 and earlier, as a temporary workaround, consider restricting the use of untrusted filters that are directly passed to the
where method until a resolution is provided.
At the moment, there is no information about a newer version that contains a fix for this issue.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nette Database