SQL Injection

2015-10-17T19:41:46
ID NODEJS:33
Type nodejs
Reporter Levan Basharuli
Modified 2018-02-23T23:24:14

Description

Overview

Versions 2.0.0-rc-7 and earlier of sequelize are affected by a SQL injection vulnerability when user input is passed into the order parameter.

Proof of Concept

javascript Test.findAndCountAll({ where: { id :1 }, order : [['id', 'UNTRUSTED USER INPUT']] })

Recommendation

Update to version 2.0.0-rc8 or later

References

Issue #2906