This web application is potentially vulnerable to authentication bypass via MongoDB operator injection.
Instead of providing valid credentials (a valid username and password), the scanner was able to bypass authentication using payloads that are evaluated to true by the MongoDB engine (abusing MongoDB operators): username & password={"$ne": "randomstring"}.


If you are passing $_GET/$_POST parameters to your queries, make sure that they are cast to strings first. If you are using JavaScript, make sure that any variables that cross the PHP- to-JavaScript boundary are passed in the scope field of MongoCode, not interpolated into the JavaScript string.


Related Vulnerabilities