Steedos Platform up to and including 1.21.24 allows NoSQL injection because the /api/collection/findone implementation in server/packages/steedos_base.js mishandles req.body validation, as demonstrated by MongoDB operator attacks such as an X-User-Id[$ne]=1 value.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
steedos steedos |
Vulmon