CVSS: 9.8EPSS: 1%CPEs: 18EXPL: 1CVE-2019-7164 – python-sqlalchemy: SQL Injection when the order_by parameter can be controlled
https://notcve.org/view.php?id=CVE-2019-7164
20 Feb 2019 — SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. SQLAlchemy, hasta la versión 1.2.17 y las 1.3.x hasta la 1.3.0b2, permite Inyección SQL mediante el parámetro "order_by". Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. SQLAlche... • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00087.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 1%CPEs: 14EXPL: 1CVE-2012-0805 – python-sqlalchemy: SQL injection flaw due to not checking LIMIT input for correct type
https://notcve.org/view.php?id=CVE-2012-0805
05 Jun 2012 — Multiple SQL injection vulnerabilities in SQLAlchemy before 0.7.0b4, as used in Keystone, allow remote attackers to execute arbitrary SQL commands via the (1) limit or (2) offset keyword to the select function, or unspecified vectors to the (3) select.limit or (4) select.offset function. Múltiples vulnerabilidades de inyección SQL en SQLAlchemy antes v0.7.0b4, tal y como se usa en Keystone, permite a atacantes remotos ejecutar comandos SQL a través de las palabras clave (1) limit (límite) o (2) offset (desp... • http://rhn.redhat.com/errata/RHSA-2012-0369.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •