#sql

## Summary An SQL injection vulnerability exists in the `@veramo/data-store` package that allows any authenticated user to execute arbitrary SQL queries against the database. The vulnerability is caused by insufficient validation of the `column` parameter in the `order` array of query requests. ## Details `packages/data-store/src/data-store-orm.ts` (lines 416-434) The vulnerability exists in the `decorateQB()` function which processes query ordering parameters: ```typescript function decorateQB( qb: SelectQueryBuilder<any>, tableName: string, input: FindArgs<any>, ): SelectQueryBuilder<any> { if (input?.skip) qb = qb.offset(input.skip) if (input?.take) qb = qb.limit(input.take) if (input?.order) { for (const item of input.order) { qb = qb.addSelect( qb.connection.driver.escape(tableName) + '.' + qb.connection.driver.escape(item.column), item.column, ) qb = qb.orderBy(qb.connection.driver.escape(item.column), item.direction) } ...

ActiveRecord-JDBC-Adapter (AR-JDBC) contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the sql.gsub() function in lib/arjdbc/jdbc/adapter.rb not properly sanitizing user-supplied input before using it in SQL queries. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api 'sort' parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending crafted GET requests to the jsonapi/review endpoint.

### Summary An **incomplete SQL injection patch** in the Admin Search Find API allows an authenticated attacker to perform **blind SQL injection**. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to **database information disclosure**. ### Details The vulnerability exists in the Admin Search Find API endpoint: ``` /admin/search/search/find ``` In CVE-2023-30848, the following patch was applied: - SQL comments are removed by replacing `--` - SQL syntax errors are caught and replaced with a generic exception Relevant commit: https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3 Key changes include: ``` // remove sql comments $fields = str_replace('--', '', $fields); try { $hit...

A hacker claims a full breach of Russia’s Max Messenger, threatening to leak user data and backend systems if demands are not met.

Missing authentication for critical function in SQL Server allows an authorized attacker to elevate privileges over a network.

### Summary An unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. Severity: High. ### Details The PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and `source_type` is not `"url"`: - `data = request.json` (line ~104) accepts attacker input without validation. - `file_path = os.path.join(temp_dir_path, data["file"])` (line ~178) creates the path inside a temporary directory, but if `data["file"]` is absolute (e.g., `/home/secret.csv`), `os.path.join` ignores `temp_dir_path` and targets the attacker-specified location. - The resulting path is handed to `ca.file_controller.save_file(...)`, which wraps `FileReader(path=source_path)` (`mindsdb/interfaces/file/file_controller.py:66`), causing the application to read the contents of that arbitrary file. The subsequent `shutil.move(file_path, ...)` cal...

A new wave of GoBruteforcer attacks has targeted databases of cryptocurrency and blockchain projects to co-opt them into a botnet that's capable of brute-forcing user passwords for services such as FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux servers. "The current wave of campaigns is driven by two factors: the mass reuse of AI-generated server deployment examples that propagate common

Database of 323,986 BreachForums users leaked online as forum admins claim the exposed data is partial and dates back to August 2025.

### Summary After WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can use prompt‑based bypass techniques to evade query restrictions and obtain sensitive information from the target server and database. ### Details ### Source - **File**: `/internal/agent/tools/database_query.go` - **Function**: `validateAndSecureSQL()` (lines 249–373) - **API Endpoint**: `POST /api/v1/agent-chat/{session_id}` ### Sink - **File**: `/internal/agent/tools/database_query.go` - **Function**: `Execute()` (line 158: `t.db.WithContext(ctx).Raw(securedSQL).Rows()`) - **Description**: Raw SQL execution without parameterized queries Backend validation code: `/internal/agent/tools/database_query.go`, lines 273–281: ``` // 3. Check for allowed tables allowedTables := []string{ "tenants", "knowledge_bases", "knowledges", "sessions", "messages", "chunks", "embeddings", "models", } // Extract table names from FROM and ...