Submit #555649: web.py 0.70 SQL Injectioninfo

Titleweb.py 0.70 SQL Injection
DescriptionIn the PostgresDB._process_insert_query method of web/db.py, the seqname parameter is not properly filtered or escaped.When using PostgreSQL database, attackers can inject arbitrary SQL commands by controlling the sequence name parameter
Source⚠️ https://noppgwz8if.feishu.cn/docx/TxjpddUpTokyBwxibSgcTRr7nUf
User
 Luaklein (UID 83974)
Submission04/10/2025 06:30 (1 Year ago)
Moderation04/19/2025 01:50 (9 days later)
StatusAccepted
VulDB entry305724 [webpy web.py 0.70 web/db.py PostgresDB._process_insert_query seqname sql injection]
Points17

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!