CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 4CVE-2023-25813 – SQL Injection via replacements in sequelize
https://notcve.org/view.php?id=CVE-2023-25813
Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. • https://github.com/bde574786/Sequelize-1day-CVE-2023-25813 https://github.com/White-BAO/CVE-2023-25813 https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b https://github.com/sequelize/sequelize/issues/14519 https://github.com/sequelize/sequelize/releases/tag/v6.19.1 https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.9EPSS: 0%CPEs: 26EXPL: 0CVE-2023-22579 – Sequalize - Unsafe fall-through in getWhereConditions
https://notcve.org/view.php?id=CVE-2023-22579
Due to improper parameter filtering in the sequalize js library, can a attacker peform injection. • https://csirt.divd.nl/CVE-2023-22579 https://csirt.divd.nl/DIVD-2022-00020 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 10.0EPSS: 0%CPEs: 26EXPL: 0CVE-2023-22578 – Sequalize - Default support for “raw attributes” when using parentheses
https://notcve.org/view.php?id=CVE-2023-22578
Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections. • https://csirt.divd.nl/CVE-2023-22578 https://csirt.divd.nl/DIVD-2022-00020 • CWE-790: Improper Filtering of Special Elements •
CVSS: 7.5EPSS: 0%CPEs: 26EXPL: 0CVE-2023-22580 – Sequalize - Bad query filtering leading to SQL errors
https://notcve.org/view.php?id=CVE-2023-22580
Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure. Tiki Wiki CMS Groupware versions 24.0 and below suffers from a PHP object injection vulnerability in grid.php. • https://csirt.divd.nl/CVE-2023-22580 https://csirt.divd.nl/DIVD-2022-00020 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10749
https://notcve.org/view.php?id=CVE-2019-10749
sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect. sequelize anterior a la versión 3.35.1, permite a atacantes realizar una inyección SQL debido a que las claves de ruta JSON no son saneadas apropiadamente en el dialecto de Postgres. • https://github.com/sequelize/sequelize/commit/ee4017379db0059566ecb5424274ad4e2d66bc68 https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450222 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •