Commit a5dcf86a authored 7 years ago by Peter Rotich Committed by Peter Rotich 7 years ago

CVE-2017-14396

This commit addresses an SQL injection vulnerability in ORM lookup
function.

* ORM implementation failed to properly quote fields, used in SQL
statements, that might originate from unsanitized user input.

* AttachmentFile lookup allowed for key based SQL injection by blindly
delegating non-string lookup to ORM.

parent 9ee76ca0

No related branches found

No related tags found

No related merge requests found

Hide whitespace changes

Inline Side-by-side

Showing with 6 additions and 2 deletions

Please register or to comment