
CVE-2023-6293 – Prototype Pollution in robinbuschmann/sequelize-typescript
https://notcve.org/view.php?id=CVE-2023-6293
24 Nov 2023 — Prototype Pollution in GitHub repository robinbuschmann/sequelize-typescript prior to 2.1.6. Prototipo de contaminación en el repositorio de GitHub robinbuschmann/sequelize-typescript anterior a 2.1.6. • https://github.com/robinbuschmann/sequelize-typescript/commit/5ce8afdd1671b08c774ce106b000605ba8fccf78 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •

CVE-2023-25813 – SQL Injection via replacements in sequelize
https://notcve.org/view.php?id=CVE-2023-25813
22 Feb 2023 — Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. • https://github.com/bde574786/Sequelize-1day-CVE-2023-25813 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVE-2023-22579 – Sequalize - Unsafe fall-through in getWhereConditions
https://notcve.org/view.php?id=CVE-2023-22579
16 Feb 2023 — Due to improper parameter filtering in the sequalize js library, can a attacker peform injection. • https://csirt.divd.nl/CVE-2023-22579 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •

CVE-2023-22578 – Sequalize - Default support for “raw attributes” when using parentheses
https://notcve.org/view.php?id=CVE-2023-22578
16 Feb 2023 — Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections. • https://csirt.divd.nl/CVE-2023-22578 • CWE-790: Improper Filtering of Special Elements •

CVE-2023-22580 – Sequalize - Bad query filtering leading to SQL errors
https://notcve.org/view.php?id=CVE-2023-22580
10 Jan 2023 — Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure. Tiki Wiki CMS Groupware versions 24.0 and below suffers from a PHP object injection vulnerability in grid.php. • https://packetstorm.news/files/id/170434 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVE-2019-10749
https://notcve.org/view.php?id=CVE-2019-10749
29 Oct 2019 — sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect. sequelize anterior a la versión 3.35.1, permite a atacantes realizar una inyección SQL debido a que las claves de ruta JSON no son saneadas apropiadamente en el dialecto de Postgres. • https://github.com/sequelize/sequelize/commit/ee4017379db0059566ecb5424274ad4e2d66bc68 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVE-2019-10748
https://notcve.org/view.php?id=CVE-2019-10748
28 Oct 2019 — Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects. Todas las versiones anteriores a 3.35.1, 4.44.3 y 5.8.11 de Sequelize, son vulnerables a una Inyección SQL debido a que las claves de ruta JSON no se escapan correctamente para los dialectos de MySQL/MariaDB. • https://github.com/sequelize/sequelize/commit/a72a3f5%2C • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVE-2019-10752
https://notcve.org/view.php?id=CVE-2019-10752
17 Oct 2019 — Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite. Sequelize, todas las versiones anteriores a la versión 4.44.3 y 5.15.1, es vulnerable a una inyección SQL debido a que la función auxiliar sequelize.json() no escapa los valores apropiadamente cuando se formatean subrutas para consultas JSON para MySQL, MariaDB y SQLite. • https://github.com/sequelize/sequelize/commit/9bd0bc1%2C • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVE-2019-11069
https://notcve.org/view.php?id=CVE-2019-11069
10 Apr 2019 — Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used. Sequelize versión 5 anterior a 5.3.0, no garantiza de manera apropiada que se utilicen cadenas conformes al estándar. • https://github.com/sequelize/sequelize/blob/98cb17c17f73e2aa1792aa5a1d31216ba984b456/lib/dialects/postgres/connection-manager.js#L158-L160 • CWE-20: Improper Input Validation •

CVE-2016-10550
https://notcve.org/view.php?id=CVE-2016-10550
31 May 2018 — sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the `limit` or `order` parameters, a malicious user can put in their own SQL statements. This affects sequelize 3.16.0 and earlier. sequelize es un mapeo objeto-relacional, o un "middleman", para convertir cosas de Postgres, MySQL, MariaDB, SQLite y Microsoft SQL Server en datos usables para NodeJS. Si las entradas de u... • https://github.com/sequelize/sequelize/pull/5167/commits/f282d85e60e3df5e57ecdb82adccb4eaef404f03 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •