{"id":"CVE-2020-21176","details":"SQL injection vulnerability in the model.increment and model.decrement function in ThinkJS 3.2.10 allows remote attackers to execute arbitrary SQL commands via the step parameter.","aliases":["GHSA-q5mq-6fjg-4mw8"],"modified":"2026-04-10T04:24:32.923426Z","published":"2021-02-01T18:15:13.263Z","references":[{"type":"ADVISORY","url":"https://github.com/thinkjs/thinkjs"},{"type":"EVIDENCE","url":"https://blog.jiguang.xyz/posts/thinkjs-sql-injection/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/thinkjs/thinkjs","events":[{"introduced":"0"},{"last_affected":"2872d6ee5d013ef9271cc735bf051be9d196d17e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.2.10"}]}}],"versions":["1.1.0","1.1.1","1.1.10","1.1.2","1.1.5","1.1.7","1.1.9","1.2.0","1.2.1","1.2.10","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.2.9","2.0.0","2.0.1","2.0.10","2.0.11","2.0.5","2.0.6","2.0.7","2.0.8","2.0.9","2.1.0","2.1.1","2.1.2","2.1.3","2.1.4","2.1.5","2.1.6","2.1.7","2.1.8","2.2.0","2.2.10","2.2.11","2.2.12","2.2.14","2.2.15","2.2.16","2.2.17","2.2.2","2.2.3","2.2.4","2.2.5","2.2.6","2.2.7","2.2.9","3.0.0","v2.2.18","v2.2.19","v2.2.20","v2.2.21","v3.1.0","v3.1.1","v3.1.2","v3.2.0","v3.2.1","v3.2.10","v3.2.2","v3.2.3","v3.2.4","v3.2.7","v3.2.8","v3.2.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-21176.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}