Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-9476

SQL injection in DefaultSurveillanceViewService

    XMLWordPrintable

Details

    • Horizon - July 12th

    Description

      DefaultSurveillanceViewService uses a CriteriaBuilder.sql() call to filter on category names but the names are not parameterized or escaped so this is a possible SQL injection site.

      We should refactor this to avoid manually constructing the SQL query string.

      The behavior was introduced in commit 62f4577d57177d1688ed91aa9d0738fa62b57486:

      https://github.com/OpenNMS/opennms/commit/62f4577d57177d1688ed91aa9d0738fa62b57486

      Attachments

        Issue Links

          Activity

            People

              seth Seth Leger
              seth Seth Leger
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.