2 results (0.005 seconds)

CVSS: 9.8EPSS: 1%CPEs: 18EXPL: 1

SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. SQLAlchemy, hasta la versión 1.2.17 y las 1.3.x hasta la 1.3.0b2, permite Inyección SQL mediante el parámetro "order_by". • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00087.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00016.html https://access.redhat.com/errata/RHSA-2019:0981 https://access.redhat.com/errata/RHSA-2019:0984 https://github.com/sqlalchemy/sqlalchemy/issues/4481 https://lists.debian.org/debian-lts-announce/2019/03/msg00020.html https://lists.debian.org/debian-lts-announce/2021/11&#x • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 7.5EPSS: 0%CPEs: 14EXPL: 1

Multiple SQL injection vulnerabilities in SQLAlchemy before 0.7.0b4, as used in Keystone, allow remote attackers to execute arbitrary SQL commands via the (1) limit or (2) offset keyword to the select function, or unspecified vectors to the (3) select.limit or (4) select.offset function. Múltiples vulnerabilidades de inyección SQL en SQLAlchemy antes v0.7.0b4, tal y como se usa en Keystone, permite a atacantes remotos ejecutar comandos SQL a través de las palabras clave (1) limit (límite) o (2) offset (desplazamiento) a la función de select (selección), o de vectores no especificados a las funciones (3) select.limit o (4) select.offset. • http://rhn.redhat.com/errata/RHSA-2012-0369.html http://secunia.com/advisories/48327 http://secunia.com/advisories/48328 http://secunia.com/advisories/48771 http://www.debian.org/security/2012/dsa-2449 http://www.mandriva.com/security/advisories?name=MDVSA-2012:059 http://www.sqlalchemy.org/changelog/CHANGES_0_7_0 http://www.sqlalchemy.org/trac/changeset/852b6a1a87e7 https://bugs.launchpad.net/keystone/+bug/918608 https://exchange.xforce.ibmcloud.com/vulnerabilities/73756 https • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •