NoSQL Injection - MongoDB

Home/Alerts/Alert detail/

Risk:
High

Type:
Active

CWE:
CWE-943

Summary: MongoDB query injection may be possible.

Solution: Do not trust client side input and escape all data on the server side. Avoid to use the query input directly into the where and group clauses and upgrade all drivers at the latest available version.

References

https://arxiv.org/pdf/1506.04082.pdf

https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection.html

Top Security News

Download: CIS Critical Security Controls v8.1

Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039)

Hackers now use AppDomain Injection to drop CobaltStrike beacons

New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks

Critical Veeam RCE bug now used in Frag ransomware attacks

HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities

Palo Alto Networks warns of potential PAN-OS RCE vulnerability

D-Link won’t fix critical flaw affecting 60,000 older NAS devices

Common Alerts

LowDangerous JS Functions

InformationalHTTP Parameter Pollution

InformationalSec-Fetch-Site Header Has an Invalid Value

MediumCSP: style-src unsafe-inline

HighCloud Metadata Potentially Exposed

HighPath Traversal

LowCookie without SameSite Attribute

LowStrict-Transport-Security Header Not Set

LowStrict-Transport-Security Defined via META (Non-compliant with Spec)

LowX-Backend-Server Header Information Leak

Top CVE List

CVE-2024-5910 Palo Alto Networks Expedition Missing Authentication Vulnerability

CVE-2024-8956 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability

CVE-2024-49039 Microsoft Windows Task Scheduler Privilege Escalation Vulnerability

CVE-2021-26858 Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2014-2120 Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability

CVE-2021-41277 Metabase GeoJSON API Local File Inclusion Vulnerability

CVE-2024-43451 Microsoft Windows NTLMv2 Hash Disclosure Spoofing Vulnerability

CVE-2024-9463 Palo Alto Networks Expedition OS Command Injection Vulnerability

CVE-2021-26086 Atlassian Jira Server and Data Center Path Traversal Vulnerability

CVE-2024-9465 Palo Alto Networks Expedition SQL Injection Vulnerability

Common CWEs

CWE-62 UNIX Hard Link

CWE-214 Invocation of Process Using Visible Sensitive Information

CWE-688 Function Call With Incorrect Variable or Reference as Argument

CWE-472 External Control of Assumed-Immutable Web Parameter

HighCWE-772 Missing Release of Resource after Effective Lifetime

CWE-37 Path Traversal: '/absolute/pathname/here'

CWE-1341 Multiple Releases of Same Resource or Handle

CWE-155 Improper Neutralization of Wildcards or Matching Symbols

CWE-830 Inclusion of Web Functionality from an Untrusted Source

CWE-1421 Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution

Free security scan for your website

Don't show website scan report rating on the leaderboard