@loke/mysql-orm (=1.12.0), @weiqiwang/nodejs-develop-kit (=1.2.0) +179 more potentially affected by CVE-2016-10550 via sequelize (>=1.0.2 <=3.14.2)

sequelize NPM version =1.0.2, =0.0.1, =0.0.1, =0.0.1, =0.1.0, =0.0.1, =0.0.5, =0.0.1, =0.0.1, =2.0.0, =0.0.1, =0.0.2-a, =0.0.131-a and more Source cves: CVE-2016-10550 Source advisory: OSV:GHSA-98PQ-PMW9-4GPM...

CVE-2016-10550

sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the limit or order parameters, a malicious user can put in their own SQL statements. This affects sequeliz...

CVE-2016-10550

The CVE-2016-10550 issue affects sequelize (ORM for Node.js) where user input into limit or order parameters can be used to inject SQL. Concrete details across documents show affected version: 3.16.0 and earlier. Root cause is improper handling of input in query construction, enabling SQL stateme...