Description
Arches is a web platform for creating, managing, & visualizing geospatial data. Versions prior to 6.1.2, 6.2.1, and 7.1.2 are vulnerable to SQL Injection. With a carefully crafted web request, it's possible to execute certain unwanted sql statements against the database. This issue is fixed in version 7.12, 6.2.1, and 6.1.2. Users are recommended to upgrade as soon as possible. There are no workarounds.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low
Affected products
- archesproject / arches<= 6.1.2 – <= 6.1.2
- archesproject / arches>= 6.2.0, < 6.2.1 – >= 6.2.0, < 6.2.1
- archesproject / arches>= 7.0.0, < 7.1.2 – >= 7.0.0, < 7.1.2