search

Keeper-Security / Commander

Keeper Commander is a python-based CLI and SDK interface to the Keeper Security platform. Provides administrative controls, reporting, import/export and vault management.
https://www.keepersecurity.com/commander.html
MIT License
182 stars 74 forks source link

SQL Injection Vulnerability #1229

Closed aydinnyunus closed 3 months ago

aydinnyunus commented 3 months ago

Hi Team,

I found multiple SQL Injection vulnerabilities.

SQL injection is a type of cybersecurity attack that targets databases through maliciously crafted SQL (Structured Query Language) statements. SQL injection occurs when an attacker inserts or "injects" malicious SQL code into input fields of a web application, exploiting vulnerabilities in the application's software that inadequately validate or sanitize user input.

Use parameterized queries or prepared statements to separate user inputs from the query structure. This helps prevent attackers from injecting malicious code into the query.

sk-keeper commented 3 months ago

None of these queries support SQL parameters and none of these queries accept user's input.