Advisories for Npm/Loopback-Connector-Mongodb package

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in loopback-connector-mongodb.

Versions of loopback-connector-mongodb are vulnerable to NoSQL injection. MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the special $where property in a filter to execute JavaScript (client can pass in a malicious script) on the database Driver. This is an intended feature of MongoDB unless disabled (instructions …