Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-9476

SQL injection in DefaultSurveillanceViewService

    XMLWordPrintable

    Details

    • Sprint:
      Horizon - July 12th

      Description

      DefaultSurveillanceViewService uses a CriteriaBuilder.sql() call to filter on category names but the names are not parameterized or escaped so this is a possible SQL injection site.

      We should refactor this to avoid manually constructing the SQL query string.

      The behavior was introduced in commit 62f4577d57177d1688ed91aa9d0738fa62b57486:

      https://github.com/OpenNMS/opennms/commit/62f4577d57177d1688ed91aa9d0738fa62b57486

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              seth Seth Leger (Inactive)
              Reporter:
              seth Seth Leger (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: