CVSS: 10.0EPSS: 4%CPEs: 1EXPL: 8CVE-2023-25813 – SQL Injection via replacements in sequelize
https://notcve.org/view.php?id=CVE-2023-25813
22 Feb 2023 — Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. • https://github.com/bde574786/Sequelize-1day-CVE-2023-25813 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.9EPSS: 0%CPEs: 26EXPL: 0CVE-2023-22579 – Sequalize - Unsafe fall-through in getWhereConditions
https://notcve.org/view.php?id=CVE-2023-22579
16 Feb 2023 — Due to improper parameter filtering in the sequalize js library, can a attacker peform injection. • https://csirt.divd.nl/CVE-2023-22579 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 10.0EPSS: 0%CPEs: 26EXPL: 0CVE-2023-22578 – Sequalize - Default support for “raw attributes” when using parentheses
https://notcve.org/view.php?id=CVE-2023-22578
16 Feb 2023 — Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections. • https://csirt.divd.nl/CVE-2023-22578 • CWE-790: Improper Filtering of Special Elements •
CVSS: 7.8EPSS: 0%CPEs: 26EXPL: 1CVE-2023-22580 – Sequalize - Bad query filtering leading to SQL errors
https://notcve.org/view.php?id=CVE-2023-22580
10 Jan 2023 — Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure. Tiki Wiki CMS Groupware versions 24.0 and below suffers from a PHP object injection vulnerability in grid.php. • https://packetstorm.news/files/id/170434 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 1CVE-2019-10748
https://notcve.org/view.php?id=CVE-2019-10748
28 Oct 2019 — Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects. Todas las versiones anteriores a 3.35.1, 4.44.3 y 5.8.11 de Sequelize, son vulnerables a una Inyección SQL debido a que las claves de ruta JSON no se escapan correctamente para los dialectos de MySQL/MariaDB. • https://github.com/sequelize/sequelize/commit/a72a3f5%2C • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2019-10752
https://notcve.org/view.php?id=CVE-2019-10752
17 Oct 2019 — Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite. Sequelize, todas las versiones anteriores a la versión 4.44.3 y 5.15.1, es vulnerable a una inyección SQL debido a que la función auxiliar sequelize.json() no escapa los valores apropiadamente cuando se formatean subrutas para consultas JSON para MySQL, MariaDB y SQLite. • https://github.com/sequelize/sequelize/commit/9bd0bc1%2C • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11069
https://notcve.org/view.php?id=CVE-2019-11069
10 Apr 2019 — Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used. Sequelize versión 5 anterior a 5.3.0, no garantiza de manera apropiada que se utilicen cadenas conformes al estándar. • https://github.com/sequelize/sequelize/blob/98cb17c17f73e2aa1792aa5a1d31216ba984b456/lib/dialects/postgres/connection-manager.js#L158-L160 • CWE-20: Improper Input Validation •