| Title | web.py 0.70 SQL Injection |
|---|
| Description | In the PostgresDB._process_insert_query method of web/db.py, the seqname parameter is not properly filtered or escaped.When using PostgreSQL database, attackers can inject arbitrary SQL commands by controlling the sequence name parameter |
|---|
| Source | ⚠️ https://noppgwz8if.feishu.cn/docx/TxjpddUpTokyBwxibSgcTRr7nUf |
|---|
| User | Luaklein (UID 83974) |
|---|
| Submission | 04/10/2025 06:30 AM (2 months ago) |
|---|
| Moderation | 04/19/2025 01:50 AM (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB Entry | 305724 [webpy web.py 0.70 web/db.py PostgresDB._process_insert_query seqname sql injection] |
|---|
| Points | 17 |
|---|