js · fuxa-serverHeads-up
fuxa-server: SQL injection in TDengine DAQ storage connector
The TDengine DAQ storage connector's escapeTdString function doubles single quotes but does not escape backslashes, allowing SQL injection via crafted tag ident
What changed
The TDengine DAQ storage connector's escapeTdString function doubles single quotes but does not escape backslashes, allowing SQL injection via crafted tag identifiers.
Who it affects
FUXA instances configured with TDengine as the DAQ backend, especially those with network access to the instance.
What to do today
Upgrade to version 1.3.2 or later to fix the input escaping in the TDengine connector.
The trail
Collected→
Audited→
Written→
Published