Dbix
Monthly
SQL injection in DBIx::QuickORM (a Perl ORM) before version 0.000026 lets attackers manipulate queries through unquoted SQL identifiers. Because the bundled SQL::Abstract subclass sets bindtype but never quote_char, caller-supplied identifiers such as order_by values, where-clause column keys, field/returning lists, upsert columns, and join aliases are emitted verbatim into the SQL string while only values are placeholder-bound. An application that forwards untrusted input into any of these identifier positions exposes data disclosure and tampering; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
SQL injection in DBIx::QuickORM (a Perl ORM) before version 0.000026 lets attackers manipulate queries through unquoted SQL identifiers. Because the bundled SQL::Abstract subclass sets bindtype but never quote_char, caller-supplied identifiers such as order_by values, where-clause column keys, field/returning lists, upsert columns, and join aliases are emitted verbatim into the SQL string while only values are placeholder-bound. An application that forwards untrusted input into any of these identifier positions exposes data disclosure and tampering; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.