CVSS: 10.0EPSS: 4%CPEs: 1EXPL: 8CVE-2023-25813 – SQL Injection via replacements in sequelize
https://notcve.org/view.php?id=CVE-2023-25813
22 Feb 2023 — Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. • https://github.com/bde574786/Sequelize-1day-CVE-2023-25813 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.9EPSS: 0%CPEs: 26EXPL: 0CVE-2023-22579 – Sequalize - Unsafe fall-through in getWhereConditions
https://notcve.org/view.php?id=CVE-2023-22579
16 Feb 2023 — Due to improper parameter filtering in the sequalize js library, can a attacker peform injection. • https://csirt.divd.nl/CVE-2023-22579 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 10.0EPSS: 0%CPEs: 26EXPL: 0CVE-2023-22578 – Sequalize - Default support for “raw attributes” when using parentheses
https://notcve.org/view.php?id=CVE-2023-22578
16 Feb 2023 — Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections. • https://csirt.divd.nl/CVE-2023-22578 • CWE-790: Improper Filtering of Special Elements •
CVSS: 7.8EPSS: 0%CPEs: 26EXPL: 1CVE-2023-22580 – Sequalize - Bad query filtering leading to SQL errors
https://notcve.org/view.php?id=CVE-2023-22580
10 Jan 2023 — Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure. Tiki Wiki CMS Groupware versions 24.0 and below suffers from a PHP object injection vulnerability in grid.php. • https://packetstorm.news/files/id/170434 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10749
https://notcve.org/view.php?id=CVE-2019-10749
29 Oct 2019 — sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect. sequelize anterior a la versión 3.35.1, permite a atacantes realizar una inyección SQL debido a que las claves de ruta JSON no son saneadas apropiadamente en el dialecto de Postgres. • https://github.com/sequelize/sequelize/commit/ee4017379db0059566ecb5424274ad4e2d66bc68 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 1CVE-2019-10748
https://notcve.org/view.php?id=CVE-2019-10748
28 Oct 2019 — Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects. Todas las versiones anteriores a 3.35.1, 4.44.3 y 5.8.11 de Sequelize, son vulnerables a una Inyección SQL debido a que las claves de ruta JSON no se escapan correctamente para los dialectos de MySQL/MariaDB. • https://github.com/sequelize/sequelize/commit/a72a3f5%2C • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10553
https://notcve.org/view.php?id=CVE-2016-10553
31 May 2018 — sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. A fix was pushed out that fixed potential SQL injection in sequelize 2.1.3 and earlier. sequelize es un mapeo objeto-relacional, o un "middleman", para convertir cosas de Postgres, MySQL, MariaDB, SQLite y Microsoft SQL Server en datos usables para NodeJS. Se ha lanzado un parche para solucionar una potencial inyección SQL en sequelize en ver... • https://github.com/sequelize/sequelize/blob/master/changelog.md#300 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2016-10554
https://notcve.org/view.php?id=CVE-2016-10554
31 May 2018 — sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. Before version 1.7.0-alpha3, sequelize defaulted SQLite to use MySQL backslash escaping, even though SQLite uses Postgres escaping. sequelize es un mapeo objeto-relacional, o un "middleman", para convertir cosas de Postgres, MySQL, MariaDB, SQLite y Microsoft SQL Server en datos usables para NodeJS. En versiones anteriores a la 1.7.0-alpha3, ... • https://github.com/sequelize/sequelize/commit/c876192aa6ce1f67e22b26a4d175b8478615f42d • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10550
https://notcve.org/view.php?id=CVE-2016-10550
31 May 2018 — sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the `limit` or `order` parameters, a malicious user can put in their own SQL statements. This affects sequelize 3.16.0 and earlier. sequelize es un mapeo objeto-relacional, o un "middleman", para convertir cosas de Postgres, MySQL, MariaDB, SQLite y Microsoft SQL Server en datos usables para NodeJS. Si las entradas de u... • https://github.com/sequelize/sequelize/pull/5167/commits/f282d85e60e3df5e57ecdb82adccb4eaef404f03 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2016-10556
https://notcve.org/view.php?id=CVE-2016-10556
29 May 2018 — sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped. This causes potential SQL injection in sequelize 3.19.3 and earlier, where a malicious user could put `["test", "'); DELETE TestTable WHERE Id = 1 --')"]` inside of ``` database.query('SELECT * FROM TestTable WHERE Name I... • https://github.com/sequelize/sequelize/issues/5671 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •