CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 4CVE-2023-25813 – SQL Injection via replacements in sequelize
https://notcve.org/view.php?id=CVE-2023-25813
Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. • https://github.com/bde574786/Sequelize-1day-CVE-2023-25813 https://github.com/White-BAO/CVE-2023-25813 https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b https://github.com/sequelize/sequelize/issues/14519 https://github.com/sequelize/sequelize/releases/tag/v6.19.1 https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.9EPSS: 0%CPEs: 26EXPL: 0CVE-2023-22579 – Sequalize - Unsafe fall-through in getWhereConditions
https://notcve.org/view.php?id=CVE-2023-22579
Due to improper parameter filtering in the sequalize js library, can a attacker peform injection. • https://csirt.divd.nl/CVE-2023-22579 https://csirt.divd.nl/DIVD-2022-00020 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 10.0EPSS: 0%CPEs: 26EXPL: 0CVE-2023-22578 – Sequalize - Default support for “raw attributes” when using parentheses
https://notcve.org/view.php?id=CVE-2023-22578
Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections. • https://csirt.divd.nl/CVE-2023-22578 https://csirt.divd.nl/DIVD-2022-00020 • CWE-790: Improper Filtering of Special Elements •
CVSS: 7.5EPSS: 0%CPEs: 26EXPL: 0CVE-2023-22580 – Sequalize - Bad query filtering leading to SQL errors
https://notcve.org/view.php?id=CVE-2023-22580
Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure. Tiki Wiki CMS Groupware versions 24.0 and below suffers from a PHP object injection vulnerability in grid.php. • https://csirt.divd.nl/CVE-2023-22580 https://csirt.divd.nl/DIVD-2022-00020 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 1CVE-2019-10748
https://notcve.org/view.php?id=CVE-2019-10748
Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects. Todas las versiones anteriores a 3.35.1, 4.44.3 y 5.8.11 de Sequelize, son vulnerables a una Inyección SQL debido a que las claves de ruta JSON no se escapan correctamente para los dialectos de MySQL/MariaDB. • https://github.com/sequelize/sequelize/commit/a72a3f5%2C https://github.com/sequelize/sequelize/pull/11089%2C https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450221 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •