ScottTZhang voter-js main.js sql injection
Description
A vulnerability was found in ScottTZhang voter-js and classified as critical. Affected by this issue is some unknown functionality of the file main.js. The manipulation leads to sql injection. The patch is identified as 6317c67a56061aeeaeed3cf9ec665fd9983d8044. It is recommended to apply a patch to fix this issue. VDB-217562 is the identifier assigned to this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: n/a
Patches
Vulnerability mechanics
Root cause
"The application directly embeds user-controlled input into SQL queries without proper sanitization."
Attack vector
An attacker can exploit this vulnerability by providing specially crafted input in the `id` parameter of requests to the `/section/:id` or `/survey/:id` endpoints. This input is then directly concatenated into SQL queries, allowing for SQL injection. The vulnerability is present in the `main.js` file, specifically in how the `id` parameter is handled before being used in database queries [ref_id=1].
Affected code
The vulnerability resides in the `main.js` file of the ScottTZhang voter-js project. Specifically, the code handling requests to `/section/:id` and `/survey/:id` endpoints is affected. The original code directly embeds the `req.params.id` value into SQL queries, which is a common pattern leading to SQL injection [ref_id=1].
What the fix does
The patch addresses the SQL injection vulnerability by changing how the `id` parameter is used in SQL queries. Instead of directly concatenating the `id` into the query string, the updated code now uses parameterized queries, passing the `id` as a separate argument. This ensures that the input is treated as data rather than executable SQL code, thereby preventing injection attacks [patch_id=4373499].
Preconditions
- inputThe attacker must be able to send requests to the affected endpoints with a manipulated `id` parameter.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/ScottTZhang/voter-js/commit/6317c67a56061aeeaeed3cf9ec665fd9983d8044mitrepatch
- github.com/ScottTZhang/voter-js/pull/15mitreissue-tracking
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.