CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2019-10752
https://notcve.org/view.php?id=CVE-2019-10752
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite. Sequelize, todas las versiones anteriores a la versión 4.44.3 y 5.15.1, es vulnerable a una inyección SQL debido a que la función auxiliar sequelize.json() no escapa los valores apropiadamente cuando se formatean subrutas para consultas JSON para MySQL, MariaDB y SQLite. • https://github.com/sequelize/sequelize/commit/9bd0bc1%2C https://github.com/sequelize/sequelize/commit/9bd0bc111b6f502223edf7e902680f7cc2ed541e https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751 https://snyk.io/vuln/SNYK-JS-SEQUELIZE-459751%2C • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11069
https://notcve.org/view.php?id=CVE-2019-11069
Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used. Sequelize versión 5 anterior a 5.3.0, no garantiza de manera apropiada que se utilicen cadenas conformes al estándar. • https://github.com/sequelize/sequelize/blob/98cb17c17f73e2aa1792aa5a1d31216ba984b456/lib/dialects/postgres/connection-manager.js#L158-L160 https://github.com/sequelize/sequelize/commit/850c7fd04669e0fef9238b6dc4f8d6ee93ed71e9 https://github.com/sequelize/sequelize/pull/10746/files https://github.com/sequelize/sequelize/releases/tag/v5.3.0 • CWE-20: Improper Input Validation •